Whistleblower Submission

WEBCAT is a multicomponent project; the easiest way to explain it is to start with the end-user experience. When a user visits a website that has enrolled in WEBCAT, before the site can load the content is checked against a signed manifest to ensure that it has not been tampered with

The users we’re trying to protect are engaged in an important, potentially high-stakes activity. Whether it’s using SecureDrop, GlobaLeaks, or another browser-based encryption tool

One use case that WEBCAT supports is that of site administrators self-hosting third-party applications — the backbone of the decentralized web. Self-hosted applications (like SecureDrop!)

WEBCAT is a project that lets application developers or service providers create and update signed artifacts attesting to the code that they are shipping; site owners enroll their domains that run these applications; and end users automatically verify that the code they are served is authentic

A signing script that allows application developers to generate a signed manifest to verify the content they intend to serve to users An enrollment server to allow site owners to enroll their website An updater service that builds a list of trusted signers per domain A Firefox extension, to provide the end user an in-browser integrity checking mechanism, which blocks code that fails integrity checks for enrolled websites and warns the user.

We’ll have more to say in the weeks and months to come. In the meantime, we welcome your feedback: you can write to us at <securedrop@freedom.press> (PGP-encrypted), or find us on GitHub.