How to check a Checksum on Windows
Posted on 2020 August 11
It’s time to stop ignoring checksums.
Software developers will often publish checksums alongside download links on their websites. Using the checksum information is a way to check that the package you received on the other end of the download is what the developer offered.
Checking the checksum when a file is downloaded protects against a class of risk where a file was intercepted mid-transfer and modified in some way. This can be done by a sophisticated attacker to add malware or spyware to an otherwise normal download.
Keep in mind that this only protects against wire attacks, so for the sake of argument let’s assume that the site is publishing a correct checksum and transferring trusted data.
It’s time to protect ourselves as software consumers a bit more. Check the Checksum!
How to actually check a Checksum on Windows
Open up a command prompt of your choosing (just write
command prompt or
terminal) and run this command:
certutil -hashfile <filepath> MD5
certutil -hashfile C:\Users\Rob\Downloads\some-setup.exe MD5
Observe the checksum and compare it against what was published on the developer’s website.
If it matches -> 🎉 Yay! 🎉
If it doesn’t match -> 😰 Skip this product and maybe check if other people have had this problem (check Reddit or StackOverflow)?
Please note: This is not an endorsement of WinSCP, but I used it recently and noticed that they published their Checksums. ❤
Thoughts on Accessing Checksums
Checksums should be easier for people to find. I can’t honestly expect average computer users to open up a terminal and a command that they’ve never heard of (and maybe even for the first time). It’s kind of intimidating for casual computer users to do this. I would very much expect neophytes to think that I’m installing a virus on their computer. :(
So I started thinking about how to best put checksums in front of users. At first I thought that checksums should live in the file browser, and it would be easy to find there. I mean, most computer users know how to find photos on their computers, and they have some experience with metadata in the form of ‘Date Modified’ next to the filename. Maybe a special section of the UI should activate when the file explorer is in the Downloads directory, since the context would make sense to show the checksums.
But then I worry that this would just be clutter for users. An average hash is a HUGE bundle of letters and numbers and doesn’t mean anything on its own.
Also keep in mind that publishing checksums is only useful when downloading a file. Once it’s been confirmed, it’s probably not going to be checked again. Also, publishing checksums is not a universal requirement (I didn’t see it on Steam’s page, for example)
So scrapping that, I think the best spot to include checksum information to the user would be at the point of download in the browser.
It’s most likely that a checksum would be available on a website when downloading something. Perhaps chrome should pop up a window with a few checksums for the downloaded file (ex: MD5, SHA1, SHA256) and inform the user that they could/should look for these on the publisher’s website. Chrome has such a huge reach that this would eventually enforce publishing a checksum as a standard action.
You can check which hashing algorithms are available by using this command:
certutil -hashfile -?
At the time of writing, these are the allowed values:
MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
Be very warned: Some of these algorithms are no longer cryptographically secure.
Read more on Checksums -> https://en.wikipedia.org/wiki/Checksum