Why and how to cryptographically secure your SteemIt article images.

Executive summary: Calculating and publishing an SHA256 checksum for images included in SteemIt posts brings blockchain-level verifiability to the content of the images, despite the image data not being directly included in the blockchain.

---

SteemIt's blockchain ensures that the text content of posts cannot be edited or removed without leaving an audit trail.

That's fine as far as text goes -- but what about images? SteemIt does not store images directly on the blockchain. It only stores web links to image files. The image file resides on a separate server not subject to blockchain-backed verification, security, and data duplication. An image server administrator (or a hacker) may be able alter any image file without leaving a trace. Your blockchain-backed SteemIt article text would then be marred with a doctored or completely different image.

You know that the image file you upload & include in your post is the correct one -- you see it before you upload it, and after you upload it you can tell it's the same image. But how can people besides you know that the image they're seeing is the one you uploaded? Without cryptographic proof they have to trust off-blockchain image servers, whether SteemIt's or someone else's.

If you want to give your readers strong assurance that they're seeing exactly the images you meant them to see in your articles -- that neither you nor anybody else came along later and altered or replaced them with different ones - you can generate SHA256 checksums for your images and include the checksums along with the images in your post. If your reader verifies the current image file's checksum against the one you published, they know the image they're seeing is bit-for-bit identical with the one you originally uploaded.

The technique here is not SteemIt-specific, it could be used on any image (or file) posted on any website -- but by using it on a blockchain-backed platform like SteemIt you can easily prove not only what the image is, but when it was posted, without resorting to a 3rd-party blockchain notarizing service.

How to generate & include SHA256 checksums for your SteemIt article images:

NB: This method works on desktop computers. Not likely to work on mobile devices.

• Finalize your image -- make any last tweaks, color adjustments, and crops it may need. You can't edit a single pixel of it later without causing an SHA256 checksum mis-match.

• Create an SHA256 checksum for your image file. There are lots of SHA256 generator/verifier utilities out there:

https://md5file.com/calculator (web-based, tested on Mac OS X & Windows 10, probably supports most other modern platforms and browsers)

or

openssl dgst -sha256 <file_name> (Mac OS X command-line utility),

MS Windows users, try googling for "Windows SHA256 hash utility" to find & download a suitable program.

The SHA256 checksum will look something like this: 8316d31c0be4f9631ca39d3d408b896dd714fcdc0664dc2dbfa49dd7fc46e99c (64 characters long --no more, no less)

• Upload the image file and include it in your SteemIt post.

• Add the SHA256 checksum string beneath the image:

SHA256 checksum for the image above: 8316d31c0be4f9631ca39d3d408b896dd714fcdc0664dc2dbfa49dd7fc46e99c

Anyone can download the image to their local computer and run it through an SHA256 checksum generator/verifier utility. If the checksum matches the one posted under the image they know with very high confidence that the file they're looking at is bit-for-bit identical to the one I included in the original post.

All text content on SteemIt, even edits made during the initial 7-day editing window after an article is posted, is traceable on the blockchain. Nobody (including the author) is able to change SHA256 checksums or any other article text without leaving evidence.

Important notes:

This technique cannot easily produce a false-negative result, but it can easily produce false-positives. A mis-matched checksum does not prove that SteemIt's image servers were hacked or that an administrator is altering or censoring images. All it proves is that the downloaded file is not bit-for-bit identical with the one originally included by the post author.

Here are the likely causes of checksum mismatches from most-likely to least:

1. Your web browser or local desktop operating system altered the file automatically when you downloaded it to your local computer. This can sometimes happen due to web browsers using different encoding methods for handling downloaded files. This explanation covers probably 95% of apparent checksum mismatches. Best way to rule it out is to try the download-and-verify procedure on several different computers with different operating systems -- Windows, Mac OS X, Linux, etc. Assuming the computers themselves are trusted (not malware-infected, etc.), if even one of them produces an SHA256 checksum which matches the one in the post, it proves that the the file is the original, unaltered copy. In the unlikely event that cross-checking on say, 3 or more separate computers running different OS versions, browsers, etc. still does not produce any matches, at that point it's time to call in the calvary: ask a few friends to try the same verification process on their computers and see if anyone obtains a checksum match. If nobody does.. hmm, it's pretty likely that the file is different from the one originally uploaded.

2. Server maintenance or system update processes intentionally made small but benign changes to the file. Maybe an OS update and a migration to a new file system. If the image is stored in a database, maybe updates or changes to the DB architecture required all stored files to be exported and imported, etc.

3. Data corruption in RAM or on the storage media (hard disk, SSD, etc.) caused the file contents to change. It only takes the addition, loss, or changing of a single bit of data to produce a completely different SHA checksum. See also: "bit rot."

4. Unlikely, but possible: Somebody intentionally altered the image file.
   Theoretically someone could remove or replace the externally-hosted image with whatever they please, compromising the original post author's integrity and credibility. Due to the prevalence and likelihood of causes 1, 2, and 3 above it will take more than just an SHA256 checksum mismatch to prove malfeasance or censorship.

---

It'd be nice if the SteemIt platform automatically included SHA256 checksum verification on all uploaded/in-lined content. Probably not too hard for the developers to implement, maybe they just haven't gotten around to it yet.

In the meantime it's not too hard to do it yourself.