Accountable Javascript Code Delivery
This addresses the problem of ensuring code consistency and auditability for web applications, benefiting users and auditors, but it is incremental as it builds on existing accountability efforts like Code Verify.
The paper tackles the lack of transparency and audit mechanisms for web applications by proposing Accountable JS, a browser extension and protocol for accountable code delivery, which is prototyped and formally analyzed with security properties modeled using the Tamarin Prover, and evaluated for compatibility and performance on cases like WhatsApp Web, AdSense, and Nimiq, with performance impacts compared to Meta's Code Verify. It includes formal modeling of Code Verify and shows that accountability is being deployed at scale, as seen with Code Verify available to 2 billion WhatsApp users.
The internet is a major distribution platform for web applications, but there are no effective transparency and audit mechanisms in place for the web. Due to the ephemeral nature of web applications, a client visiting a website has no guarantee that the code it receives today is the same as yesterday, or the same as other visitors receive. Despite advances in web security, it is thus challenging to audit web applications before they are rendered in the browser. We propose Accountable JS, a browser extension and opt in protocol for accountable delivery of active content on a web page. We prototype our protocol, formally model its security properties with the Tamarin Prover, and evaluate its compatibility and performance impact with case studies including WhatsApp Web, AdSense and Nimiq. Accountability is beginning to be deployed at scale, with Meta's recent announcement of Code Verify available to all 2 billion WhatsApp users, but there has been little formal analysis of such protocols. We formally model Code Verify using the Tamarin Prover and compare its properties to our Accountable JS protocol. We also compare Code Verify's and Accountable JS extension's performance impacts on WhatsApp Web.