![]() ![]() ![]() If the hashes match, as they should under almost any circumstance, the code is “verified” from the perspective of the extension. Code Verify compares the “known good” hash from Cloudflare with the hash of the libraries it locally computed.The Code Verify browser extension subsequently fetches the hash for that version from Cloudflare over a separate, secure connection.A WhatsApp web client fetches the latest libraries from WhatsApp.WhatsApp publishes the latest version of their JavaScript libraries to their servers, and the corresponding hash for that version to Cloudflare’s audit endpoint.We’ve illustrated this to make how it works a little clearer, showing how each of the three parties - the user, WhatsApp and Cloudflare - interact with each other.īroken down, there are four major steps to verifying the code hasn’t been tampered with: The Code Verify extension, published by Meta Open Source, automates this: locally computing the cryptographic hash of the libraries used by WhatsApp Web and comparing that hash to one from a trusted third-party source (Cloudflare, in this case). This is where the Code Verify extension and Cloudflare come in. That doesn’t help us trust and verify software at the scale of the modern Internet. Hosting those signatures (or “hashes”) with a trusted third party dramatically raises the bar when it comes to tampering, but now we require the user to know who to trust, and require them to learn tools like GnuPG. There are other approaches that attempt to improve upon this - providing signed signatures that users can verify were signed with “well known” public keys hosted elsewhere. Hosting the hash on the same server as the software is still common in 2022. They match, life is good, and you proceed to installing Fedora onto your machine.īut hold on a second: if the same website providing the download is also providing the hash, couldn’t a malicious actor replace both the download and the hash with their own values? The md5 check we ran above would still pass, but there’s no guarantee that we have the “real” (untampered) version of the software we intended to download. After the download is complete, you run md5 fedora-download.iso and compare the hash output to the hash on the page. You head to the download page, kick off the download, and see an MD5 hash (considered secure at the time) next to the download. You’re keen to download it, but want to make sure you have the “real” Fedora, and that the download isn’t a “fake” version that siphons off your passwords or logs your keystrokes. Hark back to 2003: Fedora, a popular Linux distribution based on Red Hat, has just been launched. Messages or media do not traverse Cloudflare’s network as part of this system, an important property from Cloudflare’s perspective in our role as a trusted third party. Messages, chats or other traffic between WhatsApp users are never sent to Cloudflare those stay private and end-to-end encrypted. Given the reach of WhatsApp and the implicit trust put into Cloudflare, we want to provide more detail on how this system actually works from a technical perspective.īefore we dive in, there's one important thing to explicitly note: Cloudflare is providing a trusted audit endpoint to support Code Verify. The idea itself - comparing hashes to detect tampering or even corrupted files - isn’t new, but automating it, deploying it at scale, and making sure it “just works” for WhatsApp users is. When users run WhatsApp in their browser, the WhatsApp Code Verify extension compares a hash of that code that is executing in their browser with the hash that Cloudflare has - enabling them to easily see whether the code that is executing is the code that should be. So how will this work? Cloudflare holds a hash of the code that WhatsApp users should be running. ![]() They approached us to help dramatically raise the bar for third-parties looking to compromise or otherwise tamper with the code responsible for end-to-end encryption of messages between WhatsApp users. With WhatsApp usage in the browser growing, and the increasing number of at-risk users - including journalists, activists, and human rights defenders - WhatsApp wanted to take steps to provide assurances to browser-based users. Today, we’re excited to be partnering with WhatsApp to provide a system that assures users that the code run when they visit WhatsApp on the web is the code that WhatsApp intended. How do you know the code your web browser downloads when visiting a website is the code the website intended you to run? In contrast to a mobile app downloaded from a trusted app store, the web doesn’t provide the same degree of assurance that the code hasn’t been tampered with. This post is also available in 简体中文, 繁體中文, 日本語, 한국어, Français, Español, Deutsch, Français, Español. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |