CTemplar Checksum Implementation

Encrypted Email Services Can Hack You Using JavaScript

JavaScript can be used to serve malicious code, exploits, or hacks. This is illustrated by GizmodoUSENIXAsk LeoStack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary way to de-anonymize Deep Web users.

In November of 2018, Professor Kobeissi revealed that if JavaScript is required for encryption, it can also be used to hack users who use end-to-end encrypted email services.

Does having open-source code eliminate this risk? No, because open-source code is just an act to encourage users’ trust. The audited code in GitHub might not be the same code that is sent to you from a companies private server. There is no assurance or promise that the code hosted is the same as the one is served.

How Did We Solve This With Checksums?

The checksums, released on GitHub after every update, allows our users to quickly compare the code served to their browser, with the code hosted on GitHub within 15-30 seconds. Usually, comparing code can take hours or days. With checksums, you can do it in seconds.

Note: Checksums only guarantee the integrity index.html and it does not replace a proper code audit. It merely exists to help our users to quickly verify that the scripts served on CTemplar.com are the same as hosted on GitHub.

First, the file index.html starts the platform loading process and determines what is loaded, but when doing so, could pose a couple of risks:

  1. Someone/Something could modify the JavaScript files defined in the index.html making them harmful without the user’s knowledge.
  2. Someone/Something could make index.html load more JavaScript files than what the authors intended, making the website harmful to the users without the user’s knowledge.

In any case, if anyone wants to manually verify if our index.html hasn’t been tampered and is the same as the one being served, we have a guide in GitHub.

At the time of writing, our current checksum is:

SHA-256 checksum of index.html:


The CTemplar Team

Disclaimer: The checksums do not protect you from malicious code or spying from your browser, OS’s, plugins, ISP providers, running processes, or any other types of malwares or hardware backdoors. We do not protect against keyloggers that may be installed on your computer.