This is over a week old, but this project announcement from Securedrop/Freedom of the Press Foundation has a lot of potential!
In this post, we introduce Web-based Code Assurance and Transparency, a project that supports verifiable in-browser code for single-page browser applications. Along with this post, we are publishing the WEBCAT project repository; follow-up posts will provide more detailed information.
The Securedrop team has created a developer preview of a WEBCAT-compatible browsing extension that implements this functionality.
WEBCAT is a project that lets application developers or service providers create and update signed artifacts attesting to the code that they are shipping; site owners enroll their domains that run these applications; and end users automatically verify that the code they are served is authentic. Auditors may independently observe, reproduce, and evaluate the entire process.
The system is designed to fail closed for end users, meaning that a user doesn’t have to know or do anything to take advantage of the integrity mechanisms; they simply browse the web as they normally would.
WEBCAT has four main components:
- A signing script that allows application developers to generate a signed manifest to verify the content they intend to serve to users
- An enrollment server to allow site owners to enroll their website
- An updater service that builds a list of trusted signers per domain
- A Firefox extension, to provide the end user an in-browser integrity checking mechanism, which blocks code that fails integrity checks for enrolled websites and warns the user.
WEBCAT does not depend on TLS, making it easy to integrate over other encrypted transport mechanisms, such as Tor Onion Services.
Additionally, they are also in communication with the Tor Project to implement WEBCAT compatibility in Tor Browser.
We’re in early discussions with the Tor Project about delivering WEBCAT-like functionality through Tor Browser, and we’re grateful to the Tor team for its work on the project in an advisory capacity and providing crucial early feedback.
Really exciting developments lately!