WhatsApp partners with Cloudflare to strengthen its security. And if you use WhatsApp in the browser, the idea is interesting

  • 5

WhatsApp took an important step in the security of its service when it implemented end-to-end encryption of its chats. This made it very difficult for a potential cyber attacker to “see” those messages, and protected users from interference in their communications.

The service now proposes one more improvement that is aimed at those who use WhatsApp Web in the browser. An extension developed by WhatsApp and Cloudflare will allow verifying that that version of WhatsApp has not been manipulated nor does it have malicious code.

An optional extension to ensure that the WhatsApp Web you are using is secure and private

As those responsible for Cloudflare explained, when our browser downloads code from a website it is difficult to know if that code is legitimate or not.

Screenshot 2022 03 10 At 12 43 00

Code Verify checks that the WhatsApp Web code we use against a WhatsApp verified source available on Cloudflare CDNs. The goal: to ensure that the version of WhatsApp Web that we use is authentic. Source: Cloudflare.

Mobile app stores allow Google or Apple to verify the code of those apps is legitimate and safe, but even they do not always manage to control that section: on the web this is even more complicated.

How WhatsApp end-to-end encryption works and what implications it has for privacy

Precisely that is what WhatsApp and Cloudflare want to solve with Code Verifyan extension for browsers such as Chrome or Firefox that is responsible for verifying that the WhatsApp Web session that we are using uses a secure and untampered code.

WhatsApp engineers explained that the operation of Code Verify is based on a security feature called Subresource integrity (SRI), and which allows browsers to verify that the resources they collect (for example, from a CDN) they have not been manipulated.

Cloudflare, which is well known for its CDNs and DNS servers, has taken it upon itself in the past to mitigate massive DDoS attacks, and has extensive experience in this ambit.

The extension it’s totally optional —you can install it or do nothing and continue as before— and it has been developed by Meta and its Open Source division —the code is therefore susceptible to being audited at any time— and it is available for Google Chrome, Mozilla Firefox and Microsfot Edge .

It does not collect any type of data or share information with WhatsAppand in fact neither there nor in Meta will know that we have downloaded the extension.

Screenshot 2022 03 10 At 12 41 36

The operation of Code Verify is very simple, and their activity is signaled like a traffic light: If the code is valid, the Code Verify icon is green. If it turns yellow, there has been some interference in the validation process and it is convenient to update the page. If it turns red, there is a possible security issue with the WhatsApp Web code being served.

In the latter case, measures can be taken such as pausing the other extensions, switch to a mobile version of WhatsApp or download the source code and have it analyzed by a third-party organization.

WhatsApp took an important step in the security of its service when it implemented end-to-end encryption of its chats. This…

WhatsApp took an important step in the security of its service when it implemented end-to-end encryption of its chats. This…

Leave a Reply

Your email address will not be published.