[whatwg] checksum attribute in a href tag

Ian Hickson ian at hixie.ch
Fri Oct 19 12:34:18 PDT 2012

On Fri, 19 Oct 2012, A. Rauschenbach wrote:
> If I write an article and link to other documents I want a solution that 
> the visitor can be sure that the document he opens is the document I 
> originally linked to. (And if its not he gets informed. So he knows that 
> the information maybe differ from the one the article talks about.)

I don't think this is something that would be very practical. As Tab says, 
pages change a _lot_. You'd just always be getting a warning that the page 
had changed, even if the important content had not.

> The second point is that verification if a file was downloaded correctly 
> is a computer task not a human task. A standard how to give the 
> verification information enables the browser/plugin vendors to do this 
> task.

If the file is downloaded over TLS, then it's already verified. Pretty 
much any attack scenario in which the file can be corrupted 
(man-in-the-middle, server-side corruption, client-side corruption, etc) 
can attack the file just as easily as the hash, so there's not really any 
gain from checking a hash. (This applies equally well to manual checking.) 
Providing such a feature would, in most cases, just give users a false 
sense of security.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list