If you got access to the VLC website then yes, maybe you could do that. But VLC also has their program distributed to many other independent websites in order to make it more available for downloading than VLC itself can support. Those other sources of the download might serve up altered files but you could always check the checksum from the VLC website to figure out if they are the same or not.

Checksums are used to make sure that a file has not been modified or corrupted. When a file is created, a checksum is generated based on the contents of the file. This checksum is then stored along with the file. When the file is downloaded, the checksum of the downloaded file is compared to the stored checksum. If the checksums are the same, it means that the file has not been modified and is safe to use. If the checksums are different, it means that the file has been modified and may be unsafe to use.
If you hack a website and modify the download file, you would also have to change the stored checksum on the website to match the new checksum of the modified file. However, this would not necessarily be easy to do, and it would be very difficult to change the checksum without being noticed. Additionally, even if you did manage to change the checksum on the website, anyone who had previously downloaded the original file would still have the original checksum and would be able to detect that the file had been modified.

[deleted]

It’s more of a mechanism in place for the user to verify that they downloaded the original, non-tampered file with no corruptions.

There are tons of ways a file could be manipulated in-transit, on the way to your system – for instance, man in the middle attacks, DNS hijacks, etc

Sometimes people use checksums simply to make sure that files haven’t been corrupted accidentally. For example, suppose you’re downloading a big file for offline use later: you might want to check that the download didn’t stop part way through. Non-secure checksums like MD5 are only suitable for purposes like that, since it’s possible for a malicious user to tamper with a file in such a way that it retains the same MD5.

A common use for cryptographically secure checksums is to verify files downloaded from a third-party mirror or from a P2P network, since clearly the creator of the file has no control over those.

> Let’s say I hack VLC’s website to modify their download file to add something malicious. Now the checksum of the new file is going to be different from the checksum of the website but wouldn’t I just change the checksum of the website too?

When it comes to a prominent open-source project like VLC, it’s likely that someone would notice that the checksum on the website had changed for no apparent reason.

But in general, yeah, there is no magic way of preventing websites from being hijacked and filled with malware. Checksums are just one of many tools that can be used to make it more difficult or more obvious.

Vlc makes software. They use a 3rd party to distribute the software to users. How do we know the 3rd party didn’t do any tampering with the software that they were given by vlc? You check the checksum! A checksum is a special number made by using math on the original program. You can download the checksum from vlc, then do the same math on the 3rd party download. If they match, you’re good.

Imagine a book. Let’s say you created a string of letters from every 100 words. That’s a kind of checksum. If someone bought a book from a publisher and wanted to verify it was that it was really written by you, they could get the checksum directly from you and follow your instructions to check every 100 characters. It’s difficult for the publisher to change significant portions of the writing without failing the checksum test

You can fuck around with a download which would change its checksum easily enough. But you can’t change the checksum on the website. It is what it is – set in stone. You would need to somehow hack through the website’s https encryption to present a checksum to arbitrarily be what you want it to be, but it’s virtually impossible. Without access to a quantum supercomputer, it would take ***decades*** for conventional computers to crack https encryption and inject a checksum of your choosing.

> I understand how it works but I don’t understand why. Let’s say I hack VLC’s website to modify their download file to add something malicious. Now the checksum of the new file is going to be different from the checksum of the website but wouldn’t I just change the checksum of the website too?

That’s entirely correct, checksums don’t protect against malicious manipulation. They serve other purposes.

It’s long been a tradition to have checksums at various download sites to protect against replication errors and in-transit corruption. This used to be an issue with FTP servers, where download completion can’t be precisely determined because the protocol just sucks. Also FTP has an “ASCII” transmission mode notorious for corrupting downloads.

So people started including checksums to allow people to quickly verify that they downloaded the entire thing, and that what they got is in working order. This is mostly obsolete in the modern age, but some people still stick to it.

For proving that the file has not been tampered with you need an actual cryptographic signature.