Checksums don’t protect you from a malicious website host, they protect you from people who hack the website host, or from transmission errors. I have a file that I want to share. I want to make sure everyone who downloads it can verify that they got the same file I put up there – no corruption on the download, not been replaced with some virus-laden copy by a bad actor.

So I take the file, and run a program that reads through and creates a number – the checksum – from the bytes of my file. I post the checksum next to the download, so that someone can download the file, run it through the same program, and make sure they get the same number out. If their program gives the same checksum as what I posted, they can feel confident that they have the same file that they’re supposed to have.

For a super simple example of how the checksum part works, let’s use a very short text file and a very simple checksum algorithm. We’ll add all the bytes and look at the last digit of that sum.

File: `74 68 69 73 20 69 73 20 61 20 74 65 73 74`, Checksum: 3

If you sum all those numbers, you get 833. So the Checksum is 3. If someone downloads the file from my site and their program adds the bytes and it ends in 4, then _something_ went wrong.

Checksums get more complicated, of course, that math is far too simple to use for important stuff, but it’s all basically the same regardless of exactly how you calculate them.