{"id":551,"date":"2022-03-10T18:30:59","date_gmt":"2022-03-10T18:30:59","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2022\/03\/10\/code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web\/"},"modified":"2022-03-10T18:30:59","modified_gmt":"2022-03-10T18:30:59","slug":"code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2022\/03\/10\/code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web\/","title":{"rendered":"Code Verify: An open source browser extension for verifying code authenticity on the web"},"content":{"rendered":"<p><span>Since WhatsApp introduced<\/span><a href=\"https:\/\/engineering.fb.com\/2021\/07\/14\/security\/whatsapp-multi-device\/\"> <span>multi-device capability<\/span><\/a><span> last year, we\u2019ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we\u2019ve been looking at ways to add additional layers of security to the WhatsApp Web experience. Starting today, you can now use Code Verify, an open source web browser extension that automatically verifies the authenticity of the WhatsApp Web code being served to your browser. Code Verify confirms that your WhatsApp Web code hasn\u2019t been tampered with or altered, and that the WhatsApp Web experience you\u2019re getting is the same as everyone else\u2019s.\u00a0<\/span><\/p>\n<p><span>For years, WhatsApp has protected the personal messages you send on WhatsApp Web with end-to-end encryption as they transit from sender to recipient. But security conscious users need to be confident that when WhatsApp Web receives these encrypted messages, it is protected as well. In contrast to a downloadable mobile app, a web app is usually served directly to users, without a third party reviewing and auditing the code. There are many factors that could weaken the security of a web browser that don\u2019t exist in the mobile app space, such as browser extensions. Additionally, because the mobile app space was built after the web was created, the security guarantees offered on mobile can be stronger, particularly given that third-party app stores review and approve each app and software update. But today, that\u2019s changing, as Code Verify is bringing even more security to WhatsApp Web.\u00a0<\/span><\/p>\n<p><span>Code Verify works in partnership with Cloudflare, a web infrastructure and security company, to provide independent, third-party, transparent verification of the code you\u2019re being served on WhatsApp Web. We hope this gives at-risk users peace of mind.\u00a0<\/span><\/p>\n<p><span>No other end-to-end encrypted messaging service has this level of security for people\u2019s communications on the web. In addition to deploying Code Verify for WhatsApp Web, it is also being offered as open source so that other services can use it as well. Below is an overview of how Code Verify works, how to use it, and the value of open-sourcing it.\u00a0\u00a0<\/span><\/p>\n<h2>How Code Verify works<\/h2>\n<p><span>Code Verify expands on the concept of <\/span><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Subresource_Integrity\"><span>subresource integrity<\/span><\/a><span>, a security feature that lets web browsers verify that the resources they fetch haven\u2019t been manipulated. Subresource integrity applies only to single files, but Code Verify checks the resources on the entire webpage. To do this at scale, and to enhance trust in the process, Code Verify partners with Cloudflare to act as a trusted third party.\u00a0<\/span><\/p>\n<p><span>We\u2019ve given Cloudflare a cryptographic hash source of truth for WhatsApp Web\u2019s JavaScript code. When someone uses Code Verify, the extension automatically compares the code that runs on WhatsApp Web against the version of the code verified by WhatsApp and published on Cloudflare. If there are any inconsistencies, Code Verify will notify the user.<\/span><\/p>\n<p><span>While comparing hashes to detect files that have been tampered with is not new, Code Verify does so automatically, with the help of Cloudflare\u2019s third-party verification, and at this scale for the first time. <\/span><span>WhatsApp\u2019s security protections, the Code Verify extension, and Cloudflare all work together to provide real-time code verification. <\/span><span>Whenever the code for WhatsApp Web is updated, the cryptographic hash source of truth and extension will update automatically as well.\u00a0<\/span><\/p>\n<p>Code Verify matches the WhatsApp Web code you\u2019re served with a source of truth verified by WhatsApp and published on Cloudflare to ensure the version of WhatsApp Web you\u2019re using is authentic. (Image source: Cloudflare)<\/p>\n<p><span>Cloudflare has provided a deeper dive on how this system works, including their role as a trusted third party, on their blog which can be found <a href=\"https:\/\/blog.cloudflare.com\/cloudflare-verifies-code-whatsapp-web-serves-users\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.\u00a0<\/span><\/p>\n<h2><span>How to use Code Verify<\/span><\/h2>\n<p><span>The Code Verify extension is offered by <\/span><a href=\"https:\/\/opensource.fb.com\/\"><span>Meta Open Source<\/span><\/a><span> and will be available on the official browser extension stores for Google Chrome, Microsoft Edge, and Mozilla Firefox. <\/span><span>The extension doesn\u2019t log any data, metadata, or user data, and it does not share any information with WhatsApp. It also does not read or access the messages you send or receive. In fact, neither WhatsApp nor Meta will know whether someone has downloaded the Code Verify extension. Additionally, the Code Verify extension never sends messages or chats between WhatsApp users to Cloudflare.<\/span><\/p>\n<p><span>Once installed, Code Verify will run automatically when you go to WhatsApp Web and <\/span><span>act as a real-time alert system for the code you\u2019re being served on WhatsApp Web<\/span><span>. Pinning the extension to your web browser\u2019s toolbar will allow you to see its findings without any additional steps. You can think of Code Verify as a traffic light for your WhatsApp Web code:<\/span><\/p>\n<p><span>Code Verify will run immediately, and if the WhatsApp Web code is fully validated, the Code Verify icon in the browser will appear green (see below).<\/span><br \/>\n<span>If the Code Verify icon appears orange (see below), it means that you need to refresh your page or another browser extension is interfering with Code Verify. In this instance, Code Verify will recommend that you pause your other browser extensions.<\/span><br \/>\n<span>If the Code Verify icon appears red (see below), it will indicate that there is a possible security issue with the WhatsApp Web code you\u2019re being served.\u00a0<\/span><\/p>\n<p><span>More information about using Code Verify and steps to take in the event of a validation failure or other issues can be found <a href=\"https:\/\/faq.whatsapp.com\/web\/security-and-privacy\/about-code-verify\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/span><\/p>\n<h2><span>Open source for others to leverage as well\u00a0<\/span><\/h2>\n<p><span>Code Verify is available on <a href=\"https:\/\/github.com\/facebookincubator\/meta-code-verify\/\" target=\"_blank\" rel=\"noopener\">GitHub. <\/a>Open-sourcing the Code Verify extension has a few important benefits. First, it allows other companies, groups, and individuals to apply this same level of transparency to their own applications and freely share new ideas with one another to help improve the feature. Second, it puts the power of transparency squarely in the hands of the people. As a browser extension that exists independently of WhatsApp and its infrastructure, people can see for themselves that the extension hasn\u2019t been tampered with. Third, that same discoverability also protects the extension itself. Since it exists in the public eye, it can benefit from the protections of a watchful open source community.<\/span><\/p>\n<p><span>We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale. We hope that more services use the open source version of Code Verify and make third-party verified web code the new norm. And in doing so, we hope this helps bring additional security protections to people all over the world and move the entire industry forward.\u00a0<\/span><\/p>\n<p><span>Download the Code Verify extension for:<\/span><\/p>\n<p><a href=\"https:\/\/chrome.google.com\/webstore\/detail\/code-verify\/llohflklppcaghdpehpbklhlfebooeog\"><span>Chrome<\/span><\/a><\/p>\n<p><a href=\"https:\/\/microsoftedge.microsoft.com\/addons\/detail\/code-verify\/cpndjjealjjagamdecpipjfamiigaknk\"><span>Edge<\/span><\/a><\/p>\n<p><span>Firefox (coming soon)<\/span><\/p>\n<p>The post <a href=\"https:\/\/engineering.fb.com\/2022\/03\/10\/security\/code-verify\/\">Code Verify: An open source browser extension for verifying code authenticity on the web<\/a> appeared first on <a href=\"https:\/\/engineering.fb.com\/\">Engineering at Meta<\/a>.<\/p>\n<p>Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"<p>Since WhatsApp introduced multi-device capability last year, we\u2019ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we\u2019ve been looking at ways to add additional layers of security to the WhatsApp Web experience. Starting today, you can now use Code Verify, an open source&hellip; <a class=\"more-link\" href=\"https:\/\/fde.cat\/index.php\/2022\/03\/10\/code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web\/\">Continue reading <span class=\"screen-reader-text\">Code Verify: An open source browser extension for verifying code authenticity on the web<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-551","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":701,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/deploying-key-transparency-at-whatsapp\/","url_meta":{"origin":551,"position":0},"title":"Deploying key transparency at WhatsApp","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.\u00a0 The feature requires no additional actions or steps from users and helps ensure that a conversation is secure.\u00a0 Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":800,"url":"https:\/\/fde.cat\/index.php\/2023\/12\/07\/building-end-to-end-security-for-messenger\/","url_meta":{"origin":551,"position":1},"title":"Building end-to-end security for Messenger","date":"December 7, 2023","format":false,"excerpt":"We are beginning to upgrade people\u2019s personal conversations on Messenger to use end-to-end encryption (E2EE) by default Meta is publishing two technical white papers on end-to-end encryption: Our Messenger end-to-end encryption whitepaper describes the core cryptographic protocol for transmitting messages between clients. The Labyrinth encrypted storage protocol whitepaper explains our\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":331,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/how-whatsapp-enables-multi-device-capability\/","url_meta":{"origin":551,"position":2},"title":"How WhatsApp enables multi-device capability","date":"August 31, 2021","format":false,"excerpt":"For years, people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection. Today, we\u2019re announcing the rollout of a limited public beta test for WhatsApp\u2019s updated multi-device capability.\u00a0 With this new capability, you can now\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":833,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/06\/making-messaging-interoperability-with-third-parties-safe-for-users-in-europe\/","url_meta":{"origin":551,"position":3},"title":"Making messaging interoperability with third parties safe for users in Europe","date":"March 6, 2024","format":false,"excerpt":"To comply with a new EU law, the Digital Markets Act (DMA), which comes into force on March 7th, we\u2019ve made major changes to WhatsApp and Messenger to enable interoperability with third-party messaging services.\u00a0 We\u2019re sharing how we enabled third-party interoperability (interop) while maintaining end-to-end encryption (E2EE) and other privacy\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":702,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/","url_meta":{"origin":551,"position":4},"title":"How Device Verification protects your WhatsApp account","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device malware. This security feature, called Device Verification, requires no action or additional steps from users and helps protect your account. This feature is part of our broader work to increase security for our\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":637,"url":"https:\/\/fde.cat\/index.php\/2022\/09\/30\/launching-a-new-chromium-based-webview-for-android\/","url_meta":{"origin":551,"position":5},"title":"Launching a new Chromium-based WebView for Android","date":"September 30, 2022","format":false,"excerpt":"Our in-app browser for Facebook on Android has historically relied on an Android System WebView based on Chromium, the open source project that powers many browsers on Android and other operating systems. On other mobile operating systems, the System WebView component cannot be updated without updating the entire operating system.\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=551"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/551\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}