BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

QCon London - image
QCon London

Discover emerging trends, insights, and real-world best practices in software development & tech leadership. Join now.

 QCon London - image
InfoQ Dev Summit Boston

Learn how senior software developers are solving the challenges you face. Register now with early bird tickets.

 QCon San Francisco - image
QCon San Francisco

Explore insights, real-world best practices and solutions in software development & leadership. Register now.

 The Software Architects Newsletter - image
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Meta Open-Sources Browser Extension to Establish Web Code Authenticity

DevOps

Meta Open-Sources Browser Extension to Establish Web Code Authenticity

This item in japanese

Bookmarks

Mar 26, 2022 1 min read

Write for InfoQ

Feed your curiosity. Help 550k+ global
senior developers
each month stay ahead.Get in touch

Originally created to help WhatsApp users verify the authenticity of the WhatsApp code being served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox enabling to provide the same level of security for other Web services, says Meta.

We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale. We hope that more services use the open source version of Code Verify and make third-party verified web code the new norm.

Code Verify builds on the idea of subresource integrity and brings it from the individual file level to the entire webpage. Subresource integrity is a W3C recommendation that aims to ensure the content that is being delivered to a browser has not been manipulated. It is important to understand that using secure channels, relying on TLS, HSTS, or other mechanisms, mitigates this risk by ensuring the server providing the content is indeed the one expected to, but it does not protect from the possibility that the delivered content has been compromised right on its legit source server.

Subresource integrity extends two HTML elements, script and link, with an integrity attribute that transmits a cryptographic hash of the expected resource, e.g.:

<script src="https://example.com/example-framework.js"
        integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"
        crossorigin="anonymous"></script>

Code Verify requires that for each new version of a given resource, e.g., WhatsApp libraries, its publisher shares the corresponding hash with a trusted third-party source. The Code Verify extension then fetches that hash from a specific audit endpoint and compares it with the one it computes locally from the received resource. In WhatsApp's case, Code Verify relies on CloudFlare to act as a trusted third-party source. The overall flow of information is shown in the image below.

(Image courtesy of Meta)

According to Meta, the extension does not log any data, metadata, or user data, and it does not share any information with WhatsApp or CloudFlare besides the cryptographic hash.

About the Author

Sergio De Simone

Show moreShow less

Rate this Article

Adoption
Style

This content is in the DevOps topic

Related Topics:
Survey Image

How could we improve? Take the InfoQ reader survey

Each year, we seek feedback from our readers to help us improve InfoQ.
Would you mind spending 2 minutes to share your feedback in our short survey?
Your feedback will directly help us continually evolve how we support you.
The InfoQ Team
Take the survey
BT