Meta Open Sources browser extension to establish authenticity of web code


Initially created to help WhatsApp users verify authenticity WhatsApp code served to their browsers, Code Verify is a new open source extension for Chromium, Edgeand firefox to provide the same level of security for other web services, explains Meta.

We believe that with Code Verify, we are breaking into new territory with automatic third-party code verification, especially at this scale. We hope more services will use the open source version of Code Verify and make third-party verified web code the new normal.

Code Verify is based on the idea of sub-resource integrity and takes it from the individual file level to the entire web page. Sub-asset integrity is a W3C recommendation that aims to ensure that content delivered to a browser has not been manipulated. It is important to understand that the use of secure channels, relying on TLS, HSTS or other mechanisms, mitigates this risk by ensuring that the server providing the content is indeed the one expected, but it does not protect against the possibility that the delivered content has been compromised directly on its legitimate source server.

Sub-resource integrity extends two HTML elements, script and linkwith a integrity attribute that passes a cryptographic hash of the expected resource, for example:

Code Verify requires that for each new version of a given resource, for example, WhatsApp libraries, its publisher shares the corresponding hash with a trusted third-party source. The Code Verify extension then retrieves this hash from a specific audit endpoint and compares it to the one it computes locally from the received resource. In the case of WhatsApp, Code Verify relies on CloudFlare to act as a trusted third-party source. The overall flow of information is shown in the image below.

(Image courtesy of Meta)

According to Meta, the extension does not log any data, metadata, or user data, and it does not share any information with WhatsApp or CloudFlare aside from the cryptographic hash.


Comments are closed.