Recently, WhatsApp and Cloudflare have come up with a new initiative ‘Code Verify’ to validate the authenticity of the messaging service’s web app on desktop computers.
Now, WhatsApp owned Meta claim that WhatsApp Web is even more secure with Code Verify. WhatsApp owned by Meta Platforms and Cloudflare, have teamed up for a new initiative dubbed Code Verify, which validates the authenticity of the messaging service’s web app on desktop PCs.
The open-source add-on, which is available as a Chrome and Edge browser extension, is designed to “automatically verif[y] the authenticity of the WhatsApp Web code being served to your browser,” according to Facebook.
WhatsApp said in a statement “Since WhatsApp introduced multi-device capability last year, we’ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we’ve been looking at ways to add additional layers of security to the WhatsApp Web experience,”
About Code Verify
The purpose of Code Verify is to authenticate the web application’s integrity and make sure it hasn’t been altered with in order to inject malicious code. To achieve the same level of security across browsers, the Meta Platforms plans to distribute Firefox and Safari plugins.
Cloudflare’s role is to act as an auditing entity for the WhatsApp Web’s JavaScript code shared by Meta. The technique compares the cryptographic hash of WhatsApp Web’s JavaScript code that is shared by Meta with a locally generated hash of the code executing on the browser client, with Cloudflare acting as a third-party audit.
Code Verify is also designed to be adaptable, so that whenever the code for WhatsApp Web code is updated, the cryptographic hash value is updated as well, ensuring that the code delivered to users is certified on the fly.
WhatsApp clarified in a separate FAQ on the latest security feature. “the extension won’t read or access the messages you send or receive, and we won’t know if you have downloaded the extension.” It further stated that the add-on does not log any data, metadata, or user data, and that it does not share any information with WhatsApp.
Cloudflare claimed that “The strategy by itself — evaluating hashes to detect tampering or even corrupted information — is just not new, but automating it, deploying it at scale, and building sure it ‘just works’ for WhatsApp buyers is,”
Working Mechanism
Code Verify builds on the concept of Subresource integrity which is a security feature that allows web browsers to verify that the resources they fetch haven’t been tampered with. Subresource integrity only applies to single files, whereas Code Verify checks the resources on the entire page. Code Verify partners with Cloudflare to operate as a trusted third party to do this at scale and to increase trust in the process, according to the company.
Using Code Verify
Meta Open Source is offering the Code Verify extension, which will be available in the official browser extension stores Google Chrome, Microsoft Edge, and Mozilla Firefox. The extension doesn’t save any data, metadata, or user information, and it doesn’t share any data with WhatsApp. It also has no access to or reads the messages you send or receive.
Code Verify will run immediately and if the WhatsApp Web code is properly validated, the Code Verify symbol in the browser will become green.
If the Code Verify icon turns orange, it signifies you need to reload your page or that Code Verify is being interfered with by another browser extension. In this case, Code Verify will recommend you to pause your other browser extensions.
If the Code Verify symbol turns red, it means there’s a potential security issue with the WhatsApp Web code you’re being served.