I would like to know some file checksum (e.g. SHA-256 hash or something else) when I start downloading the file from the HTTP server. It can be transmitted as one of the HTTP response headers.
Http etag looks like something similar, but it is only used to invalidate the browser cache, and as I noticed, each site calculates it in its own way, and it does not look like any hash that I know.
Some software download sites provide different file checksums as separate files for downloading (for example, the latest versions of Ubuntu 16.04 SHA1 hashes: http://releases.ubuntu.com/16.04/SHA1SUMS ). Wouldn’t it be easier to just include them in the header of the HTTP response and make the browser calculate it at the end of the download (and not force the user to do this manually).
I believe that the whole HTTP-based Internet works because we use the TCP protocol, which is reliable and ensures that the bytes received are exactly the same as the one sent by the server. But if TCP is so cool, why do we check file hashes manually (see Ubuntu example)? And a lot can go wrong during file loading (client / server disk corruption, server-side file modification, etc.). And if I'm right, everything can be fixed by simply passing the hash of the file at the start of the download ...
source share