App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code—the checksum—matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such a process is effective. Even worse, very few usability studies about it exist. In this article, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month-long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution—a Chrome extension that verifies checksums automatically—significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers, and content creators to increase the use of file integrity verification on their properties.

中文翻译：

---

使用校验和验证 Web 下载完整性的研究

应用商店提供对数百万种不同程序的访问，用户可以在他们的计算机上下载这些程序。开发人员还可以在其网站上提供可供下载的程序，并直接在其网站或第三方平台（例如镜像）上托管程序文件。在后一种情况下，由于用户在未经开发人员审查的情况下下载软件，因此应采取必要的预防措施以确保其真实性。完成此操作的一种方法是检查已发布文件的完整性验证码（校验和）是否与下载文件的完整性验证码（如果提供）匹配。然而，迄今为止，几乎没有证据表明这样的过程是有效的。更糟糕的是，很少有关于它的可用性研究。在本文中，我们提供了第一个评估手动校验和验证过程的可用性和有效性的综合研究。首先，通过一个原位对 40 名参与者和眼动追踪技术进行实验，我们表明该过程繁琐且容易出错。其次，在对 134 名参与者进行了为期 4 个月的野外实验后，我们展示了我们提出的解决方案——一个自动验证校验和的 Chrome 扩展程序——如何显着减少人为错误，提高覆盖率，并且对可用性的影响有限。遗憾的是，它还证实，在我们的样本中，只有极少数链接到可执行文件的网站提供校验和（0.01%），这强烈呼吁网络标准机构、服务提供商和内容创建者增加使用对其属性进行文件完整性验证。