WhatsApp Web strengthens its security with an extension developed in conjunction with cloudflare called Code Verify, that allows to know if the encryption keys were violated and therefore, if the privacy of the communication is at risk.
It should be remembered that All messages sent by WhatsApp are protected with end to end encryption, a security technique that makes all content shared through the service (messages, photos, videos, etc) travel in encrypted form and is only decrypted when it reaches the recipient’s device. This means that even if an attacker were to intercept the content during transmission, they would not be able to access it because it is encrypted.
Before a message leaves the sender’s mobile, it is secured with a padlock cryptographicof which only the recipient has the key. Also, the keys change with each message that is sent.
The system itself is quite secure if that encryption works properly. To corroborate this, a new system was devised in partnership with the security company, Cloudflare.
How to use this verification system
To make use of this option it is necessary to download the Code Verify extension, which is available for Chrome, Firefox and Edge. This open source tool allows you to verify that the encrypted communication was not compromised.
The first step is to install the extension, then it opens whatsapp web and when Code Verify is activated, you will see an icon that can adopt three types of colors depending on the case:
1. If it appears green it means that the security was not violated
two. orange indicates that there is some element that is affecting the verification. Either another browser extension is interfering with the verification ability, or the request timed out. It is necessary to refresh the page and see if this color is repeated or if one of the two appears to confirm the situation.
3. red identifies a problem with the WhatsApp code that is being used. In this case, you have to stop using the web version, go to the mobile and download the source code so that they can analyze the situation.
The technology behind this system
Code Verify allows browsers to verify that resources have not been tampered with. Every time WhatsApp Web is used, the extension compares the fingerprint or hash of the code received in the browser with the hash of the WhatsApp code.
If there is a match then there is no problem, there was no encryption vulnerability, but if there is no match between those hashes then the user is alerted because that implies that the communication is exposed to a possible risk.
It should be noted that all of this is done without Cloudflare having access to the content being exchanged. From the company they clarify that during this audit process, all communication remains privatewith the corresponding end-to-end encryption.
On the other hand, being an open source application, there is transparency as to how it works. The other point in favor is that this development can be used by other messaging services if they wish to generate another way of verifying the security of communications for users.