Automated Integrity Verification of Web Downloads

Summary
Downloadable files on the web are often accompanied by checksums, which can be used to verifiy the integrity of these files after being downloaded. However, studies have found that this verification check almost always goes unused, because many users are unfamiliar with the verification procedure, and the procedure is manual and tedious. This presents a problem, because users that download files from the web without verifying the integrity of these files may be exposing themselves to the risk of malware, ransomware, etc. in the event that the downloadable file was tampered with by a malicious actor. To counter this attack vector, we offer an automated solution for verifying the integrity of web downloads that runs without user intervention.

Background
If you’ve landed on this page, then you’re probably familiar with checksums used to verify the integrity of downloadable files on the web. These checksums are usually derived from cryptographic hash functions, and are typically published near the link to download a file from the web, like so:

download.dl   (SHA256: f17214c34b5d37d1578949f66018b64528e6fc32d01018a67bb1b989691fe782)

After downloading the file to their system, the user can take the checksum of the file, and verify that the actual checksum of the file matches the expected checksum as published on the site. If not, then the file may have been compromised or tampered with.

This verification is especially vital if the file is hosted on a third-party server, such a mirror site or content delivery network (CDN). Even if an attacker (such as a rogue employee of the company hosting the third-party server, or a hacker that is able to gain access to the third-party server) is able to compromise the file hosted on the third party server, the attacker would then also need to update the checksum published by the trusted server. Compromising both the trusted server and the third-party server is beyond the capability of the attacker in most cases. Therefore, by comparing the actual checksum of the file downloaded from the third-party server with the expected checksum published by the trusted server, the user is able to detect if the file was compromised or tampered with while hosted on the third-party server.

However, this integrity verification procedure often goes unused, as reported in a 2018 paper by Mauro Cherubini et al. Most non-technical users are simply unfamiliar with the verification process and how to apply it. And, even technical users often neglect to perform the verification process, because it’s manual and tedious. Yet, failure to verify the integrity of a file downloaded from the web can have disastrous consequences if the file was compromised. Adrian Colyer’s blog post on this subject does an outstanding job of summarizing Cherubini’s findings, and goes on to underscore the need for an automated solution to this problem.

Cherubini and Colyer note that subresource integrity (SRI) is not a solution to this problem. SRI cannot be used with <a> tags to verify the integrity of downloadable files, because SRI’s use is limited to <script> tags (for javascript files) and <link> tags (for stylesheet files). Therefore, Cherubini and Colyer propose a browser extension for automatically performing integrity verification on downloadable files, similar to the way that SRI is used to perform integrity verification on javascript and styesheet files.

Solution
We propose an automated solution for verifying the integrity of web downloads, that does not require a browser extension. Our solution automates integrity verification of downloadable files using a short javascript function. The javascript function is served by the trusted server, and runs within the user's web browser. In all, the trusted server serves three items:

  1. the URL of the downloadable file
  2. the expected checksum of the file
  3. a javascript function that downloads the file and performs the integrity verification

The javascript function, running within the user's web browser, downloads the file from the URL provided in (1) above, then verifies that the actual checksum of the file matches the expected checksum of the file provided in (2) above. Then, if (and only if) the actual checksum of the file matches the expected checksum of the file, the user is prompted to open or save the file on their system. Otherwise, the user is warned that the file may have been compromised, and the user is not given the opportunity to open or save the file. The entire process runs without user intervention, and without the need for the user to install a browser extension.

Demo
The solution is implemented in the demo below. In this demo, the file resides on a third-party server on Amazon’s AWS network. The trusted server (hosting this web page) serves the URL of the file hosted on the third-party server (https://ivdfw.s3.us-east-2.amazonaws.com/download.dl), the expected checksum of the file (f17214c34b5d37d1578949f66018b64528e6fc32d01018a67bb1b989691fe782), and the javascript function that performs the file download and integrity verification. Upon clicking the link below, the user sees that the integrity verification is successful, and the file is made available to the user to open or save to their system:

Below is a second demo, simulating a case where the file may have been tampered with, as the actual checksum of the file does not match the expected checksum. Upon clicking the link below, the user sees that the integrity verification fails, and the file is not made available to the user to open or save to their system:

Conclusion
Downloadable files tend to be static and larger in size, so these files are well suited for hosting on a third-party host such as a mirror site or CDNs. By offloading these files to a third-party host, companies are able to the reduce load on their primary web servers, and achieve greater redundancy and reliability for the hosting of these files, while users are likely to benefit from faster downloads of these files. However, companies that choose to offload downloadable files to third-party hosts should be aware of the security implications of doing so, and may want to consider implementing this solution.

Licensing and Implementation Inquiries
This solution is protected by US Patent #10,505,736. Licenses and implementation assistance are available free of charge to all non-profit organizations distributing open-source software, and are available for a reasonable charge to all other entities. Please contact Meixler Technologies, Inc for all licensing and implementation inquiries.

Home   |   About   |   Contact