BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Meta Open-Sources Browser Extension to Establish Web Code Authenticity

Meta Open-Sources Browser Extension to Establish Web Code Authenticity

This item in japanese

Bookmarks

Originally created to help WhatsApp users verify the authenticity of the WhatsApp code being served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox enabling to provide the same level of security for other Web services, says Meta.

We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale. We hope that more services use the open source version of Code Verify and make third-party verified web code the new norm.

Code Verify builds on the idea of subresource integrity and brings it from the individual file level to the entire webpage. Subresource integrity is a W3C recommendation that aims to ensure the content that is being delivered to a browser has not been manipulated. It is important to understand that using secure channels, relying on TLS, HSTS, or other mechanisms, mitigates this risk by ensuring the server providing the content is indeed the one expected to, but it does not protect from the possibility that the delivered content has been compromised right on its legit source server.

Subresource integrity extends two HTML elements, script and link, with an integrity attribute that transmits a cryptographic hash of the expected resource, e.g.:

<script src="https://example.com/example-framework.js"
        integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"
        crossorigin="anonymous"></script>

Code Verify requires that for each new version of a given resource, e.g., WhatsApp libraries, its publisher shares the corresponding hash with a trusted third-party source. The Code Verify extension then fetches that hash from a specific audit endpoint and compares it with the one it computes locally from the received resource. In WhatsApp's case, Code Verify relies on CloudFlare to act as a trusted third-party source. The overall flow of information is shown in the image below.

(Image courtesy of Meta)

According to Meta, the extension does not log any data, metadata, or user data, and it does not share any information with WhatsApp or CloudFlare besides the cryptographic hash.

About the Author

Rate this Article

Adoption
Style

BT