By this I mean, what's an end-to-end use case for it? In which a user wants a SHA hash of a file, uses this thing to get it, and then does something with the hash.
Hey Thomas,
The itch I was scratching with this tool is that there isn't a built-in way in Windows to get a digest of a file, so... what better way than doing it in the browser?
Also, I'm the paranoid type and don't like the idea of uploading a file to someone else's server if I want the digest.
You aren't worried that doing this via Javascript will make it insecure for that use? In almost the same manner as uploading your file to a server (simply to get the hash) would be?
I dont' really understand what you're saying here. Other services that calculate the digest of a file online require you to upload your file to the service/site where you don't know what they will do with it. With Browser Hash, not one bit of your file leaves your computer or travels over the network.
How do I know that my file is never leaving my computer? To verify that, I have to verify every line of Javascript code influencing that page, every time I use it, to make sure it isn't spiriting away my file contents or feeding bogus SHA fingerprint values back to me.
I think what xtacy means by MITM is that the javascript sent by the server might be MITM'd and altered to return a different value than the actual hash.
But for instance, if I'm trying to SHA1 a Windows 8 iso (the kind which I imagine would be by far the most common use case - in which a cryptographically secure hash algorithm isn't even a prerequisite any checksum would do).
It's not any worse than downloading the sha1sum app from any http site.
1. Haha, I agree that files will eventually become less accesible for the majority of computer users. Something like how the iPad handles projects/songs/documents instead of the generic "file".
2. Due to HTML5 limitations, you will need to drop the file from your local storage onto the browser window.
3. Yes you can get digests of a file on Windows, but it doesn't come with a built-in program.
There's a certain cool factor of file drag/drop but I think that the click-to-browse paradigm is useful on certain laptop trackpads where dragging isn't a pleasure and other situations. It would be nice if you made the drag area clickable (like min.us).
This could be useful to validate large files after downloading them, e.g. ISO files for Linux distributions--however that goes out the window with the 10MB size limit.
Why the limit? Does it take too long to compute hashes for larger files?
You could split up the file chunks by reading in sections (blob.webkitSlice and mozSlice) as array buffers and sending them to a worker object. Then you could process those in chunks with WebWorkers (or WebGL) and have a progress indicator.
Browser-based upload, but with file-hash-based deduping to skip the upload if possible, à la Dropbox? (Not a use-case for this site, but one for in-browser file hashing)
Also, I'm the paranoid type and don't like the idea of uploading a file to someone else's server if I want the digest.