Code Verify: an open-source browser extension to verify the authenticity of code on the web

Since the introduction of WhatsApp multi-device capability Last year we saw an increase in the number of people accessing WhatsApp directly through their web browser through WhatsApp Web. With this change in mind, we looked for ways to add additional layers of security to the WhatsApp web experience. Starting today, you can now use Code Verify, an open-source web browser extension that automatically verifies the authenticity of WhatsApp web code served to your browser. Code Verify confirms that your WhatsApp web code has not been tampered with or altered, and that the WhatsApp web experience you get is the same as everyone else’s.

For years, WhatsApp has protected the personal messages you send on WhatsApp Web with end-to-end encryption as they travel from sender to recipient. But security-conscious users should be sure that when WhatsApp Web receives these encrypted messages, it is also protected. Unlike a downloadable mobile app, a web app is typically offered directly to users, without a third party reviewing and auditing the code. There are many factors that could weaken a web browser’s security that don’t exist in the mobile app space, such as browser extensions. Additionally, since the mobile app space was created after the web was created, the security guarantees offered on mobiles can be stronger, especially since third-party app stores review and approve every update. application and software updates. But today, that changes, as Code Verify brings even more security to WhatsApp Web.

Code Verify works in partnership with Cloudflare, a web infrastructure and security company, to provide independent, third-party, and transparent verification of the code served to you on WhatsApp Web. We hope this will reassure risky users.

No other end-to-end encrypted email service has this level of security for people’s communications over the web. In addition to deploying Code Verify for WhatsApp Web, it is also offered as open source so that other services can also use it. Below is an overview of how Code Verify works, how to use it, and the value of its open source.

How code verification works

Code Verify develops the concept of sub-resource integrity, a security feature that allows web browsers to verify that the resources they fetch have not been manipulated. Sub-resource integrity only applies to single files, but Code Verify verifies resources across the entire web page. To do this at scale and to build trust in the process, Code Verify partners with Cloudflare to act as a trusted third party.

We gave Cloudflare a cryptographic hash truth source for the WhatsApp Web JavaScript code. When someone uses Code Verify, the extension automatically compares the code running on WhatsApp Web with the version of the code verified by WhatsApp and published on Cloudflare. If there are any inconsistencies, Code Verify will notify the user.

While comparing hashes to detect files that have been tampered with is nothing new, Code Verify does it automatically, with the help of third-party verification from Cloudflare, and at this scale for the first time. WhatsApp’s security protections, Code Verify extension, and Cloudflare all work together to provide real-time code verification. Whenever the code of WhatsApp Web is updated, the source of truth and the cryptographic hash extension will also be updated automatically.

WhatsApp Code Verification
Code Verify is the WhatsApp Web Code served to you with a source of truth verified by WhatsApp and published on Cloudflare to ensure that the version of WhatsApp Web you are using is authentic. (Image source: Cloudflare)

Cloudflare has provided a more in-depth analysis of how this system works, including its role as a trusted third party, on its blog which can be found here.

How to use code verification

The Code Verify extension is offered by Meta Open Source and will be available on official browser extension stores for Google Chrome, Microsoft Edge and Mozilla Firefox. The extension does not save any data, metadata or user data, and does not share any information with WhatsApp. It also does not read or access any messages you send or receive. In fact, neither WhatsApp nor Meta will know if someone has downloaded the Code Verify extension. Additionally, the Code Verify extension never sends messages or chats between WhatsApp users to Cloudflare.

Once installed, Code Verify will run automatically when you access WhatsApp Web and act as a real-time alert system for the code served to you on WhatsApp Web. Pinning the extension to your web browser’s toolbar will allow you to see its results without any additional steps. You can think of Code Verify as a traffic light for your WhatsApp web code:

  • Code Verify will run immediately and if the WhatsApp Web Code is fully validated, the Code Verify icon in the browser will appear green (see below).
  • If the Code Verify icon appears orange (see below), it means you need to refresh your page or another browser extension is interfering with Code Verify. In this case, Code Verify will recommend that you suspend your other browser extensions.
  • If the code verification icon appears in red (see below), this will indicate that there is a possible security issue with the WhatsApp web code served to you.

WhatsApp Code VerificationYou can find more information about using Code Verify and the steps to follow in case of validation failures or other issues here.

Open source so others can benefit from it too

Code Verify is available on GitHub. The open source Code Verify extension has a few important advantages. First, it allows other companies, groups, and individuals to apply this same level of transparency to their own applications and freely share new ideas with each other to help improve functionality. Second, it puts the power of transparency in the hands of the people. As a browser extension that exists independently of WhatsApp and its infrastructure, users can see for themselves that the extension has not been tampered with. Third, this same discoverability also protects the extension itself. Since it exists in the public eye, it can enjoy the protections of a vigilant open source community.

We believe that with Code Verify, we are breaking new ground with automatic third-party code verification, especially at this scale. We hope more services will use the open source version of Code Verify and make third-party verified web code the new normal. And in doing so, we hope it will help bring additional security protections to people around the world and move the industry as a whole forward.

Download the Code Verify extension to:

Chromium

Edge

Firefox (coming soon)

amoloans