kravietz 🦇Interesting new project from #Tor #SecureDrop - that’s essentially digitally signed web pages that are client-verified to prevent any server-side covert injection or backdooring. Sounds a bit like SRI (Subresource Integrity) but for the whole page and using digital signature not just server-delegated hash. Obviously, it won’t work for a typical ‘modern’ mash-up website that changes every minute, but sounds perfect for high-integrity and largely static pages such as SecureDrop.
WEBCAT helps protect users from malicious or unexpected changes to the client-side code of a web application. When a user visits a site that has enrolled in WEBCAT, the WEBCAT browser extension verifies the application’s served assets against a signed manifest before any content is executed. If verification fails, WEBCAT blocks the page from loading and shows a warning.
Help us test WEBCAT alpha
Web applications are only as trustworthy as the servers that serve them, and servers can get hacked. So, last year, we introduced WEBCAT (Web-Based Code Assurance and Transparency), a project designed to enable verifiable in-browser code for web applications. We wrote extensively about WEBCAT’s requirements, constraints, and goals.Today, we’re excited to announce the alpha release of WEBCAT. In particular, we invite community participation in a new, decentralized enrollment infrastructure.
SecureDrop
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕
Negative PID SL
