If a Hacker can edit download link, they can edit your SHA256 hash

2 points by hellbanner ↗ HN
Why do websites list SHA256 hashes next to their download links? If 1 is compromised, the other could be too?

2 comments

[ 1.9 ms ] story [ 12.8 ms ] thread
You could always check the SHA256 from a separate device on separate network, ie your smartphone.
Original poster is suggesting that if one can change the downloaded file on the source location, then the same person can update the SHA256 string used to "guarantee authenticity". They're not suggesting a MTM style attack where one changes the string mid flight.