How Cloudflare verifies the code WhatsApp Web serves to users

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • webappsec

    Web Application Security Working Group repo

    • It's great to hear that you want this added to browsers themselves, and you're right that browsers are more likely to implement such changes if you can show that users are deliberately installing an extension to add the missing functionality.

    There has been some discussion at the W3C about extending the SRI spec in this direction[0], but it seems they are reluctant to do that unless "multiple browser vendors" choose to implement something like this.[1] Hopefully the existence and adoption of this browser extension helps to solve that bootstrapping / Catch-22 problem.

    As for usability, would it be sufficient to just adopt a TOFU model, where the browser pins the first key it sees for a domain? To prevent the risk of permanently bricking a site (if the key gets lost, or the host gets temporarily compromised) you could politely warn the user that the key has changed, or just show a different colour icon representing that the code is correctly signed with an unknown key.

    [0] https://github.com/w3c/webappsec/issues/449

    [1] https://github.com/w3c/webappsec-subresource-integrity/issue...

  • webappsec-subresource-integrity

    WebAppSec Subresource Integrity

    • It's great to hear that you want this added to browsers themselves, and you're right that browsers are more likely to implement such changes if you can show that users are deliberately installing an extension to add the missing functionality.

    There has been some discussion at the W3C about extending the SRI spec in this direction[0], but it seems they are reluctant to do that unless "multiple browser vendors" choose to implement something like this.[1] Hopefully the existence and adoption of this browser extension helps to solve that bootstrapping / Catch-22 problem.

    As for usability, would it be sufficient to just adopt a TOFU model, where the browser pins the first key it sees for a domain? To prevent the risk of permanently bricking a site (if the key gets lost, or the host gets temporarily compromised) you could politely warn the user that the key has changed, or just show a different colour icon representing that the code is correctly signed with an unknown key.

    [0] https://github.com/w3c/webappsec/issues/449

    [1] https://github.com/w3c/webappsec-subresource-integrity/issue...

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Deno KV internals: building a database for the modern web

    2 projects | news.ycombinator.com | 10 May 2024

  • TakServer rtsp video feed manager

    1 project | /r/ATAK | 17 Oct 2022

  • I Made a Free Tool to Know My Stargazers 🌟

    1 project | dev.to | 9 May 2024

  • Why Every Website Needs an SSL Encryption

    1 project | dev.to | 8 May 2024

  • Blank HTML page and HTML redirect based on time

    3 projects | news.ycombinator.com | 8 May 2024