Web applications are only as trustworthy as the servers that serve them, and servers can get hacked. So, last year, we introduced WEBCAT (Web-Based Code Assurance and Transparency), a project designed to enable verifiable in-browser code for web applications. We wrote extensively about WEBCAT’s requirements, constraints, and goals.
Today, we’re excited to announce the alpha release of WEBCAT. In particular, we invite community participation in a new, decentralized enrollment infrastructure.
If you try out WEBCAT, we’d love to hear how it went at webcat@freedom.press.
Recap: What is WEBCAT?
WEBCAT helps protect users from malicious or unexpected changes to the client-side code of a web application. When a user visits a site that has enrolled in WEBCAT, the WEBCAT browser extension verifies the application’s served assets against a signed manifest before any content is executed. If verification fails, WEBCAT blocks the page from loading and shows a warning.
Crucially, this protects users from attacks where an attacker may compromise the server. For example, if the server hosting an end-to-end-encrypted (E2EE) web application is hacked, the attacker can tamper with the E2EE code to weaken it or bypass it altogether. This is not theoretical. For example, in the ByBit hack, attackers were able to tamper with client-side code served to users, causing the application to behave maliciously while still appearing legitimate.
Try WEBCAT as a user
WEBCAT is currently available as a browser extension for Firefox. Because it relies on the Manifest V2 API, which was deprecated by Chromium and Chromium-based browsers, it is currently not compatible with Google Chrome or Brave browsers. We’re exploring possible paths forward for these browser.
To install WEBCAT, visit the Mozilla Store.
WEBCAT only operates on websites enrolled and configured to use it. To see WEBCAT in action, after you install the WEBCAT browser extension (user guide), you can visit one of the following demos:
Or see its blocking capabilities on misconfigured or tampered demos:
Please remember that the WEBCAT browser extension is in an alpha stage. Some quirks are to be expected! It might slow down or interfere with webpages, and it might not yet provide the intended security guarantees. It should be installed only by people interested in experimenting with cutting-edge, unstable software.
Reporting bugs and feedback
If you discover a bug or want to make a feature request, you can file an issue in our GitHub repository.
You can also reach us at webcat@freedom.press.
Try WEBCAT on your own web application
Caution: WEBCAT for developers or webmasters may have rough edges. We may introduce breaking changes at any time and ask you to reenroll during this alpha period. However, WEBCAT-related changes to your website will only affect users of the WEBCAT browser extension, so we encourage you to get involved.
If you maintain a single-page web application or any static website, you can experiment with WEBCAT locally using a set of command-line tools called webcat-cli.
We’ve also written a set of guides to help understand the constraints and the overall process:
In the past, we’ve been successful at integrating WEBCAT into existing open source web applications, such as Jitsi, Element, Bitwarden, and GlobaLeaks.
We especially want feedback from teams who want to use WEBCAT, but find that the set of web application features supported by WEBCAT are not sufficient for their use case. WEBCAT has already expanded the features it supports in response to such feedback, and we want to continue doing so. If you are trying to enroll your website or port a web application, feel free to reach out or file an issue on GitHub.
For enrollment procedures and more documentation, visit the project website: https://webcat.tech. You can also jump straight to the enrollment page.
WEBCAT and Tor Browser
WEBCAT aims to support real-world use cases, including those of users who access sensitive web applications over Tor. WEBCAT’s integrity mechanism is compatible with non-TLS encrypted transports like Tor Onion services, which we’ve considered in the design from the start, since they are critical for whistleblowing applications.
We’re excited to share that we’ve been working in collaboration with the Tor Project on advancing WEBCAT and are beginning integration work with Tor Browser this year.
WEBCAT Ecosystem
As WEBCAT moves forward, it’s important that its supporting infrastructure is independently verifiable, resilient, and not reliant on a single centralized system, including Freedom of the Press Foundation (FPF). We’ve designed the enrollment infrastructure so that it can be hosted by a decentralized set of community members, such that no single community member can censor a site that wants to enroll in WEBCAT. Currently, only clearnet (TLS) websites can be enrolled in WEBCAT, but we plan to enable private enrollment of .onion domains in the future.
Similarly, we have expanded support to include both Sigsum signing and transparency logging, leveraging the witness network, as well as Sigstore-based signing, supported both manually and via automated workflows. In both cases, users may rely on existing community instances (such as the Sigstore public good instance) or deploy their own Sigsum log, witness, or complete Sigstore stack.
Interested in running WEBCAT infrastructure?
We’re looking for community members and aligned organizations that would be interested in running pieces of WEBCAT’s supporting enrollment infrastructure. If this sounds interesting to you or your org, we’d love to talk. Reach out to us at webcat@freedom.press.
We want your feedback
The web’s security model has long relied on trusting the server. WEBCAT is an attempt to change that, and your feedback at this early stage of active development is extremely valuable.
If you have thoughts or feedback, please:
- Email us at webcat@freedom.press.
- Join the conversation on GitHub: https://github.com/freedomofpress/webcat.