Towards Usable Checksums: Automating the Integrity Verification of Web Downloads for the Masses

Internet users can download software for their computers from app stores (e.g., Mac App Store and Windows Store) or from other sources, such as the developers' websites. Most Internet users in the US rely on the latter, according to our representative study, which makes them directly responsible for the content they download. To enable users to detect if the downloaded files have been corrupted, developers can publish a checksum together with the link to the program file; users can then manually verify that the checksum matches the one they obtain from the downloaded file. In this paper, we assess the prevalence of such behavior among the general Internet population in the US (N=2,000), and we develop easy-to-use tools for users and developers to automate both the process of checksum verification and generation. Specifically, we propose an extension to the recent W3C specification for sub-resource integrity in order to provide integrity protection for download links. Also, we develop an extension for the popular Chrome browser that computes and verifies checksums of downloaded files automatically, and an extension for the WordPress CMS that developers can use to easily attach checksums to their remote content. Our in situ experiments with 40participants demonstrate the usability and effectiveness issues of checksums verification, and shows user desirability for our extension.

[1]  Elissa M. Redmiles,et al.  How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior , 2016, CCS.

[2]  R. Sharpe On the importance of being Earnest , 1995 .

[3]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[4]  Daniel T. Levin,et al.  Unseen and Unaware: Implications of Recent Research on Failures of Visual Awareness for Human-Computer Interface Design , 2004, Hum. Comput. Interact..

[5]  Nuria Oliver,et al.  A Refined Experience Sampling Method to Capture Mobile User Experience , 2009, ArXiv.

[6]  Bart Preneel,et al.  Cryptographic hash functions , 2010, Eur. Trans. Telecommun..

[7]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[8]  Mervyn A. Jack,et al.  User perceptions of security, convenience and usability for ebanking authentication tokens , 2009, Comput. Secur..

[9]  Jeffrey C. Mogul,et al.  Instance Digests in HTTP , 2002, RFC.

[10]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[11]  Ian Goldberg,et al.  SoK: Secure Messaging , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  M. Just,et al.  Eye fixations and cognitive processes , 1976, Cognitive Psychology.

[13]  Joseph H. Goldberg,et al.  Eye tracking in web search tasks: design implications , 2002, ETRA.

[14]  Linden J. Ball,et al.  Eye Tracking in Human-Computer Interaction and Usability Research : Current Status and Future Prospects , 2004 .

[15]  Andrea Back,et al.  Deterrent Effects of Warnings on User's Behavior in Preventing Malicious Software Use , 2017, HICSS.

[16]  Kelly O. Finnerty,et al.  Cyber Security Breaches Survey 2020 , 2019 .

[17]  Serge Egelman,et al.  Behavior Ever Follows Intention?: A Validation of the Security Behavior Intentions Scale (SeBIS) , 2016, CHI.

[18]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[19]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[20]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[21]  Elissa M. Redmiles,et al.  Where is the Digital Divide?: A Survey of Security, Privacy, and Socioeconomics , 2017, CHI.

[22]  Blase Ur,et al.  Can Unicorns Help Users Compare Crypto Key Fingerprints? , 2017, CHI.

[23]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[24]  Sunny Consolvo,et al.  An Experience Sampling Study of User Reactions to Browser Warnings in the Field , 2018, CHI.

[25]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[26]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content , 2014, RFC.

[27]  Dustin Ormond,et al.  Warning! A Comprehensive Model of the Effects of Digital Information Security Warning Messages , 2015 .

[28]  M. Angela Sasse,et al.  Obstacles to the Adoption of Secure Communication Tools , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[29]  Matthew Smith,et al.  An Empirical Study of Textual Key-Fingerprint Representations , 2016, USENIX Security Symposium.

[30]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[31]  J. Day,et al.  Computer and Internet Use in the United States: 2003 , 2005 .

[32]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[33]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[34]  Daniel Zappala,et al.  Is that you, Alice? A Usability Study of the Authentication Ceremony of Secure Messaging Applications , 2017, SOUPS.

[35]  Julien Freudiger,et al.  The Inconvenient Truth about Web Certificates , 2011, WEIS.

[36]  Justin Cappos,et al.  A look in the mirror: attacks on package managers , 2008, CCS.

[37]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[38]  Praveen Gauravaram,et al.  Cryptographic Hash Functions , 2010, Encyclopedia of Information Assurance.

[39]  Ross J. Anderson,et al.  Reading this may harm your computer: The psychology of malware warnings , 2014, Comput. Hum. Behav..

[40]  Hung-Min Sun,et al.  A Study of User-Friendly Hash Comparison Schemes , 2009, 2009 Annual Computer Security Applications Conference.

[41]  Bonnie Brinton Anderson,et al.  More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable , 2016, Inf. Syst. Res..

[42]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[43]  Vijay Erramilli,et al.  Your browsing behavior for a big mac: economics of personal information online , 2011, WWW.