▲ ▼ Automatic checking of downloaded file integrity
We are at higher risk of supply-chain attacks than ever before, A seemingly innocuous file we download from a trusted website could have been maliciously altered to compromise our systems by an attacker but the file integrity checking mechanisms are beyond the reach for an average Internet user.
Websites which care about the security of their users provide hash(MD5/SHA) or GPG signature file which can be used to verify the integrity of the file with a couple of commands, Although its straightforward for the power users it's not ideal for those who have never executed commands in the terminal/command prompt.
If the file verification can be automated at browser through standardized specification of hash signatures then end users need not verify the integrity of the files manually.
-
It might be worth to note that most Windows & macOS users download all their software from their App Store and an average Linux/Unix user likely knows how to execute commands so this problem likely affects only those who download software from websites manually in Windows/macOS.Although technically any file (e.g. .pdf) can be compromised to execute malicious code on our systems, Generic files don't usually come with hashes for integrity checks(Perhaps another larger problem?).reply I WILL PAY FOR THAT