Cloudflare and WhatsApp partner to pioneer a third-party security audit on Key Transparency technology
Sydney, Australia, September 24, 2024 – Cloudflare, Inc. (NYSE: NET), the leading connectivity cloud company, today announced a new service to verify the integrity of public keys in the end-to-end encryption of popular messaging applications. When using end-to-end encryption messaging applications, a public-private key exchange encrypts messages to protect against an outside party intercepting messages. Now, Cloudflare is taking the burden off security-minded users that have previously had to manually verify public keys with their contacts. By automatically checking that public keys haven’t been tampered with, Cloudflare is helping to build trust that end-to-end encrypted messages are delivered to the intended recipients. WhatsApp has long partnered with Cloudflare for security verifications, and is again the first to implement this new auditing process to strengthen users’ trust in the application.
End-to-end encryption (E2EE) is a type of encryption that keeps messages private from everyone, including the actual messaging service itself. With end-to-end encryption, messages are only visible to the sender and the intended recipient. When someone sends a message, it is encrypted on their device before it is transmitted over the Internet. This means that the message is scrambled so that only the recipient’s device can decode it. Because the message is encrypted, even WhatsApp cannot read its contents. When the message arrives on the recipient’s device with a matching public key, it is decrypted back into its original form so that the recipient can read it. Many services offer a security key verification, which helps ensure users are indeed chatting with the intended recipient.
While verification of E2EE messaging infrastructure is most salient for security conscious users like journalists, activists, and human rights defenders, it is recommended for everyone. Security-conscious users can manually verify the security of their conversation by checking a contact’s QR code via an alternative communication method. This verification should be done regularly, whenever a contact gets a new device, or to verify that the messaging app itself did not change or alter the keys.
Introducing Plexi, An Auditor for Key Transparency Infrastructure
Cloudflare has now introduced Plexi, an auditor for Key Transparency infrastructure. Key Transparency is an emerging standard designed to ensure the authenticity of encryption keys used in end-to-end messaging. It helps verify that the keys on both ends of the communication are legitimate, enabling secure message reception and reading. Cloudflare can now act as an auditor to this technology, by verifying that the logs of these keys are constructed correctly, and providing an audit signature that the messaging app can then pass on to users to improve trust in the system. Cloudflare is proud to partner with WhatsApp to serve as an auditor to their open-sourced Auditable Key Directory (AKD).
“At-risk organisations, journalists, and activists regularly rely on Cloudflare to secure their websites, emails, and traffic. We’re already trusted by millions of organisations and customers, and being an external auditor to end-to-end encrypted messaging apps is a natural extension of those values and our technology,” said Matthew Prince, co-founder and CEO, Cloudflare. “Establishing this verification process with WhatsApp sets a high bar for other messaging apps to follow suit.”
“We’re excited to partner with Cloudflare to further strengthen key transparency on WhatsApp and help reaffirm for users that their encrypted session is secure,” said Nitin Gupta, Head of Engineering, WhatsApp. “This partnership with Cloudflare will make it even easier for users to verify the authenticity of their chats.”
Independent researchers and security experts can read the technical blog at https://blog.cloudflare.com/key-transparency for a deeper understanding on how the verification system is built, and review the results of the proof verification published at https://dash.key-transparency.cloudflare.com. Cloudflare is interested in helping audit the integrity of all types of end-to-end encrypted infrastructure; companies or organisations interested in an audit can reach out at https://www.cloudflare.com/lp/privacy-edge/.
To learn more, please check out the resources below:
- Technical Blog: Cloudflare partners with WhatsApp to audit public key infrastructure
- Join us online for demos, product announcements, and more at our first Builder Day Live Stream on September 26 at 11am PT. Register at https://builderday.pages.dev.
About Cloudflare
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better Internet. It empowers organisations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organisation can gain the control they need to work, develop, and accelerate their business.
Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organisations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.