When you download things, you want to know for certain that what you’re downloading really is what you expect it to be.

It’s possible that when you download something from a website, as the data streams through the Internet pipes from that website to your computer, someone malicious could intercept your download, tamper with it, and send you something else. Or, perhaps the sender was hacked and the hacker modified their website to send you a malicious file instead of the one you actually wanted. And if that was the end of it, you’d have no way to know that either of these have happened.

There’s a kind of program you can use where you dump raw data into it, and it will crunch up and scramble that data and spit out… some random-looking garbage. It has a name, but for now I’ll just call it the “data shredder”. There are two interesting things about these kinds programs that are relevant: 1) when you feed the same data into the data shredder over and over, the same exact garbage will come out every single time, and 2) changing the input data even just a *little* will *completely* change the output garbage, in a way that can’t be easily predicted ahead of time.

We can use the data shredder program to our advantage here. Say the website you’re downloading from takes that download and runs it through the data shredder. They take the garbage and post it on their website for all to see. Then, you visit the website and download the program. Once it’s downloaded, you can run the stuff you got through the same data shredder program on your own computer. If the garbage that comes out matches the garbage on the website, you can be reasonably confident that your downloaded data wasn’t tampered with. If it was, even just a little bit, the garbage would be completely different. You’d definitely be able to tell.

The proper name for these garbage shredder programs (or at least, the inner parts that make them work) is a “hashing algorithm”, and the garbage they kick out is called a “hash”. There are many different kinds of hashing algorithms tailored to different kinds of needs. SHA1 and SHA256 are just two of the many kinds. SHA1 is the weaker of the two–a very smart person with very powerful tech and a very careful plan could defeat it–but it takes less computational power to run, which weaker devices might appreciate (this isn’t really a relevant problem for recent tech you’d probably be using). SHA256 is bigger, beefier, and stronger, but it’s slightly harder to run. Your example website gives people the choice of which one they want to use. The less secure faster one is there if you aren’t too concerned or need the efficiency, and the more secure slower one is there if you want to be extra sure.