{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T18:02:29Z","timestamp":1772906549956,"version":"3.50.1"},"reference-count":52,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2020,9,28]],"date-time":"2020-09-28T00:00:00Z","timestamp":1601251200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"name":"HEC Lausanne","award":["2019"],"award-info":[{"award-number":["2019"]}]},{"DOI":"10.13039\/501100003475","name":"Hasler Foundation","doi-asserted-by":"crossref","award":["19024"],"award-info":[{"award-number":["19024"]}],"id":[{"id":"10.13039\/501100003475","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2021,2,28]]},"abstract":"<jats:p>App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file\u2019s integrity verification code\u2014the checksum\u2014matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such a process is effective. Even worse, very few usability studies about it exist.<\/jats:p>\n          <jats:p>\n            In this article, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an\n            <jats:italic>in-situ<\/jats:italic>\n            experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month-long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution\u2014a Chrome extension that verifies checksums automatically\u2014significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers, and content creators to increase the use of file integrity verification on their properties.\n          <\/jats:p>","DOI":"10.1145\/3410154","type":"journal-article","created":{"date-parts":[[2020,9,28]],"date-time":"2020-09-28T11:02:35Z","timestamp":1601290955000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["A Study on the Use of Checksums for Integrity Verification of Web Downloads"],"prefix":"10.1145","volume":"24","author":[{"given":"Alexandre","family":"Meylan","sequence":"first","affiliation":[{"name":"Kudelski Security, Switzerland"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1860-6110","authenticated-orcid":false,"given":"Mauro","family":"Cherubini","sequence":"additional","affiliation":[{"name":"University of Lausanne (UNIL), Switzerland"}]},{"given":"Bertil","family":"Chapuis","sequence":"additional","affiliation":[{"name":"University of Applied Sciences and Arts (HES-SO\/HEIG-VD), Switzerland"}]},{"given":"Mathias","family":"Humbert","sequence":"additional","affiliation":[{"name":"armasuisse S+T, Switzerland"}]},{"given":"Igor","family":"Bilogrevic","sequence":"additional","affiliation":[{"name":"Google Inc., Switzerland"}]},{"given":"K\u00e9vin","family":"Huguenin","sequence":"additional","affiliation":[{"name":"University of Lausanne (UNIL), Switzerland"}]}],"member":"320","published-online":{"date-parts":[[2020,9,28]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243746"},{"key":"e_1_2_1_2_1","unstructured":"Karen Turner. 2016-07-15. Developers consider Apple\u2019s app store restrictive and anticompetitive report shows. Washington Post (2016-07-15).  Karen Turner. 2016-07-15. Developers consider Apple\u2019s app store restrictive and anticompetitive report shows. Washington Post (2016-07-15)."},{"key":"e_1_2_1_3_1","unstructured":"Swati Khandelwal. 2018. Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely. https:\/\/thehackernews.com\/2018\/01\/bittorent-transmission-hacking.html. (2018).  Swati Khandelwal. 2018. Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely. https:\/\/thehackernews.com\/2018\/01\/bittorent-transmission-hacking.html. (2018)."},{"key":"e_1_2_1_4_1","unstructured":"Linux Mint Website Hacked; ISO Downloads Replaced with a Backdoor. Security News - Trend Micro USA. https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/linux-mint-website-hacked-iso-downloads-replaced-with-a-backdoor. ([n.d.]).  Linux Mint Website Hacked; ISO Downloads Replaced with a Backdoor. Security News - Trend Micro USA. https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/linux-mint-website-hacked-iso-downloads-replaced-with-a-backdoor. ([n.d.])."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.20"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the USENIX Security Symposium (USENIX Security). USENIX.","author":"Dechand Sergej","year":"2016"},{"key":"e_1_2_1_7_1","unstructured":"W3C. 2016. Subresource Integrity. https:\/\/www.w3.org\/TR\/SRI\/. (2016).  W3C. 2016. Subresource Integrity. https:\/\/www.w3.org\/TR\/SRI\/. (2016)."},{"key":"e_1_2_1_8_1","doi-asserted-by":"crossref","unstructured":"S. M. Furnell P. Bryant and A. D. Phippen. 2007. Assessing the security perceptions of personal Internet users. Computers 8 Security 26 5 (Aug. 2007) 410--417. DOI:http:\/\/dx.doi.org\/10.1016\/j.cose.2007.03.001  S. M. Furnell P. Bryant and A. D. Phippen. 2007. Assessing the security perceptions of personal Internet users. Computers 8 Security 26 5 (Aug. 2007) 410--417. DOI:http:\/\/dx.doi.org\/10.1016\/j.cose.2007.03.001","DOI":"10.1016\/j.cose.2007.03.001"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017470.2017481"},{"key":"e_1_2_1_10_1","volume-title":"Cyber Security Breaches Survey","author":"Rishi Vaidya","year":"2018"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). ACM, 931--936","author":"Redmiles Elissa M."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM, 666--677","author":"Redmiles Elissa M."},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (S8P). 272--288","author":"Redmiles Elisa M.","year":"2016"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1357054.1357219"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the USENIX Security Symposium (USENIX Security). USENIX, 399--416","author":"Sunshine Joshua","year":"2009"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the USENIX Security Symposium (USENIX Security). USENIX.","author":"Akhawe Devdatta","year":"2013"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39884-1_5"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2014.09.014"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.62"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2016.0644"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2017.600"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3174086"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2501604.2501610"},{"key":"e_1_2_1_24_1","volume-title":"User perceptions of security, convenience and usability for ebanking authentication tokens. Computers 8 Security 28, 1-2","author":"Weir Catherine S.","year":"2009"},{"key":"e_1_2_1_25_1","volume-title":"The psychology of password management: A tradeoff between security and convenience. Behaviour 8 Information Technology 29, 3","author":"Tam Leona","year":"2010"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS). ACM, 59--75","author":"Fagan Michael","year":"2016"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00060"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025733"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (S8P). IEEE, 232--249","author":"Unger N.","year":"2015"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.65"},{"key":"e_1_2_1_31_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS). ACM.","author":"Vaziripour Elham","year":"2017"},{"key":"e_1_2_1_32_1","unstructured":"Checksum On the Go. Chrome Webstore. https:\/\/chrome.google.com\/webstore\/detail\/checksum-on-the-go\/fholnooplijidhdagedffljaphholpea. ([n.d.]).  Checksum On the Go. Chrome Webstore. https:\/\/chrome.google.com\/webstore\/detail\/checksum-on-the-go\/fholnooplijidhdagedffljaphholpea. ([n.d.])."},{"key":"e_1_2_1_33_1","unstructured":"Files MD5 SHA1 Calculate 8 Compare. Add-Ons for Firefox. https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/calculate-md5-sha1-hash-che-1\/?src=search. ([n.d.]).  Files MD5 SHA1 Calculate 8 Compare. Add-Ons for Firefox. https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/calculate-md5-sha1-hash-che-1\/?src=search. ([n.d.])."},{"key":"e_1_2_1_34_1","volume-title":"A Double Edged Sword. https:\/\/eventtracker.com\/tech-articles\/certificates-and-digitally-signed-applications-a-double-edged-sword\/. (Feb","author":"Digitally Signed Applications Certificates","year":"2016"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-1981-5_5"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM, 565--574","author":"Cappos Justin"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1002\/ett.4460050406"},{"key":"e_1_2_1_38_1","unstructured":"Computer Security Division Information Technology Laboratory. NIST Policy on Hash Functions - Hash Functions | CSRC. https:\/\/csrc.nist.gov\/projects\/hash-functions\/nist-policy-on-hash-functions. ([n.d.]).  Computer Security Division Information Technology Laboratory. NIST Policy on Hash Functions - Hash Functions | CSRC. https:\/\/csrc.nist.gov\/projects\/hash-functions\/nist-policy-on-hash-functions. ([n.d.])."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380092"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702322"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702442"},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the IFIP Workshop on Information Systems Security Research. IFIP.","author":"Silic Mario","year":"2015"},{"key":"e_1_2_1_43_1","volume-title":"Ball","author":"Poole Alex","year":"2006"},{"key":"e_1_2_1_44_1","volume-title":"Proceedings of the Symposium on Eye Tracking Research 8 Applications (ETRA). ACM, 51","author":"Goldberg Joseph H."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1016\/0010-0285(76)90015-3"},{"key":"e_1_2_1_46_1","volume-title":"A refined experience sampling method to capture mobile user experience. arXiv:0906.4125 [cs] (June","author":"Cherubini Mauro","year":"2009"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/MPRV.2003.1203750"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/1124772.1124923"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/1620545.1620547"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/765891.766101"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2012.6297926"},{"key":"e_1_2_1_52_1","volume-title":"Proceedings of the International ACM SIGACCESS Conference on Computers 8 Accessibility (ASSETS). ACM, 193--200","author":"Crabb Michael"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3410154","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3410154","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:40:59Z","timestamp":1750200059000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3410154"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,9,28]]},"references-count":52,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,28]]}},"alternative-id":["10.1145\/3410154"],"URL":"https:\/\/doi.org\/10.1145\/3410154","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,9,28]]},"assertion":[{"value":"2019-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-07-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-09-28","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}