webext-signed-pages vs meta-code-verify

webext-signed-pages

A browser extension to verify the authenticity (PGP signature) of web pages (by tasn)

Code Verify is an open source web browser extension that confirms that your Facebook, Messenger, Instagram, and WhatsApp Web code hasn’t been tampered with or altered, and that the Web experience you’re getting is the same as everyone else’s. (by facebookincubator)

Suggest topics

Source Code

Suggest alternative

Edit details

SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App

With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

surveyjs.io

featured

InfluxDB - Power Real-Time Data Analytics at Scale

Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

www.influxdata.com

featured

webext-signed-pages		meta-code-verify
	Project
16	Mentions	5
180	Stars	133
-	Growth	0.0%
0.0	Activity	8.8
over 1 year ago	Latest Commit	about 2 months ago
JavaScript	Language	TypeScript
BSD 3-clause "New" or "Revised" License	License	MIT License

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

webext-signed-pages

Posts with mentions or reviews of webext-signed-pages. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-02-19.

E2EE on the web: is the web that bad?
2 projects | news.ycombinator.com | 19 Feb 2024

There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. https://github.com/tasn/webext-signed-pages
Cloudflare and CDNs - call for community opinions
2 projects | /r/ProtonMail | 25 May 2023

EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users.
Is there any tool to verify client-side website code you get served is the same as the open source version?
1 project | /r/PrivacyGuides | 17 Dec 2022

4 projects | /r/privacy | 14 Dec 2022
Truly safe?
1 project | /r/ProtonMail | 30 Jun 2022

There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used.
A browser that verifies Javascript
1 project | /r/ProtonMail | 5 Jun 2022
Security experts declare all Proton apps secure after security audit
2 projects | news.ycombinator.com | 18 Apr 2022

> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
ProtonMail Is Inherently Insecure, Your Emails Are Likely Compromised
4 projects | news.ycombinator.com | 15 Feb 2022

Something like a browser extension for this does already exist, fortunately:
https://github.com/tasn/webext-signed-pages
"Were you able to subpoena ProtonMail?"
1 project | /r/ProtonMail | 20 Jan 2022

In regards to untrusted webapp, yes, that is a reasonable attack vector. That said, I've heard from ProtonMail they have been considering to implement Signed Pages to help mitigate (at least some of the) issues with this attack vector.
Proton’s priorities
1 project | /r/ProtonMail | 5 Oct 2021

Which is why it is important to get proper E2E encryption on e-mail, where the source is open source and can be audited. And then that there are verify mechanisms to verify that the source code has not been manipulated. For web services there are signed-pages which is quite interesting.

meta-code-verify

Posts with mentions or reviews of meta-code-verify. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-05-15.

Code Verify: An open source browser extension for verifying code authenticity
1 project | news.ycombinator.com | 21 Feb 2024

(2022)
https://github.com/facebookincubator/meta-code-verify is the goods, and is MIT
https://github.com/facebookincubator/meta-code-verify#instal... says Safari support is "coming soon" (from 2022) so I guess they think those users don't need to "verify[..] the integrity of a web page."
Open Source Hacktivism, Open Source Gains Traction in the Enterprise, and More: Open Source Matters
8 projects | dev.to | 15 May 2022

Code Verify - A browser extension from Meta for verifying the integrity of web pages and detect executed code that’s not included in the site manifest.
Security experts declare all Proton apps secure after security audit
2 projects | news.ycombinator.com | 18 Apr 2022

> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
Code Verify – MIT extension that confirms that your WhatsApp Web not tampered
1 project | /r/CKsTechNews | 12 Mar 2022

1 project | news.ycombinator.com | 11 Mar 2022

What are some alternatives?

When comparing webext-signed-pages and meta-code-verify you can also consider the following projects:

photos-app - ➡️ Moved to https://github.com/ente-io/ente

FastTreeSHAP - Fast SHAP value computation for interpreting tree-based models

mailvelope - Browser extension for OpenPGP encryption with Webmail

ongdb - ONgDB is an independent fork of Neo4j® Enterprise Edition version 3.4.0.rc02 licensed under AGPLv3 and/or Community Edition licensed under GPLv3

frame - System-wide Web3 for macOS, Windows and Linux

xGitGuard - AI based Secrets Detection Python Framework

pacman-bintrans - Experimental binary transparency for pacman with sigstore and rekor

peacenotwar - Attempts to determine if the computer its running on has an IP originating from Russia or Belarus. If it is then depending on the version of the malware either attempts to delete all files on the computer, or creates a text file on the computers desktop protesting the war in ukraine.

leCrypt-web-extension - leCrypt is a decentralised password manager which is cross-platform, free and secure.

access-undenied-aws - Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps. Open-sourced by Ermetic.

proton-mail - React web application to manage ProtonMail

dagger - Application Delivery as Code that Runs Anywhere