Cloudflare Helps Secure the World’s Most Popular Messaging Applications

Cloudflare and WhatsApp partner to pioneer a third-party security audit on Key Transparency technology

Cloudflare Helps Secure the World’s Most Popular Messaging Applications

Cloudflare, Inc.
Daniella Vallurupalli
Vice President, Head of Global Communications
press@cloudflare.com

Cloudflare, Inc. (NYSE: NET), the leading connectivity cloud company, today announced a new service to verify the integrity of public keys in the end-to-end encryption of popular messaging applications. When using end-to-end encryption messaging applications, a public-private key exchange encrypts messages to protect against an outside party intercepting messages. Now, Cloudflare is taking the burden off security-minded users that have previously had to manually verify public keys with their contacts. By automatically checking that public keys haven't been tampered with, Cloudflare is helping to build trust that end-to-end encrypted messages are delivered to the intended recipients. WhatsApp has long partnered with Cloudflare for security verifications, and is again the first to implement this new auditing process to strengthen users’ trust in the application.

End-to-end encryption (E2EE) is a type of encryption that keeps messages private from everyone, including the actual messaging service itself. With end-to-end encryption, messages are only visible to the sender and the intended recipient. When someone sends a message, it is encrypted on their device before it is transmitted over the Internet. This means that the message is scrambled so that only the recipient's device can decode it. Because the message is encrypted, even WhatsApp cannot read its contents. When the message arrives on the recipient’s device with a matching public key, it is decrypted back into its original form so that the recipient can read it. Many services offer a security key verification, which helps ensure users are indeed chatting with the intended recipient.

While verification of E2EE messaging infrastructure is most salient for security-conscious users like journalists, activists, and human rights defenders, it is recommended for everyone. Security-conscious users can manually verify the security of their conversation by checking a contact’s QR code via an alternative communication method. This verification should be done regularly, whenever a contact gets a new device, or to verify that the messaging app itself did not change or alter the keys.

Introducing Plexi, an auditor for Key Transparency infrastructure

Cloudflare has now introduced Plexi, an auditor for Key Transparency infrastructure. Key Transparency is an emerging standard designed to ensure the authenticity of encryption keys used in end-to-end messaging. It helps verify that the keys on both ends of the communication are legitimate, enabling secure message reception and reading. Cloudflare can now act as an auditor to this technology, by verifying that the logs of these keys are constructed correctly, and providing an audit signature that the messaging app can then pass on to users to improve trust in the system. Cloudflare is proud to partner with WhatsApp to serve as an auditor to their open-sourced Auditable Key Directory (AKD).

“At-risk organizations, journalists, and activists regularly rely on Cloudflare to secure their websites, emails, and traffic. We’re already trusted by millions of organizations and customers, and being an external auditor to end-to-end encrypted messaging apps is a natural extension of those values and our technology,” said Matthew Prince, co-founder and CEO, Cloudflare. “Establishing this verification process with WhatsApp sets a high bar for other messaging apps to follow suit.”

“We’re excited to partner with Cloudflare to further strengthen Key Transparency on WhatsApp and help reaffirm for users that their encrypted session is secure,” said Nitin Gupta, Head of Engineering, WhatsApp. “This partnership with Cloudflare will make it even easier for users to verify the authenticity of their chats.”

Independent researchers and security experts can read the technical blog at https://blog.cloudflare.com/key-transparency for a deeper understanding on how the verification system is built, and review the results of the proof verification published at https://dash.key-transparency.cloudflare.com. Cloudflare is interested in helping audit the integrity of all types of end-to-end encrypted infrastructure; companies or organizations interested in an audit can reach out at https://www.cloudflare.com/lp/privacy-edge/.

To learn more, please check out the resources below:

Technical Blog: Cloudflare partners with WhatsApp to audit public key infrastructure
Join us online for demos, product announcements, and more at our first Builder Day Live Stream on September 26 at 11am PT. Register at builderday.pages.dev.

About Cloudflare

Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better Internet. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business.

Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.

Learn more about Cloudflare’s connectivity cloud at cloudflare.com/connectivity-cloud. Learn more about the latest Internet trends and insights at https://radar.cloudflare.com.

Forward-Looking Statements

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding the capabilities and effectiveness of Plexi and its related features and Cloudflare’s other products and technology, the benefits to Cloudflare’s customers from using Plexi and its related features and Cloudflare’s other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on August 1, 2024, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

© 2024 Cloudflare, Inc. All rights reserved. Cloudflare, the Cloudflare logo, and other Cloudflare marks are trademarks and/or registered trademarks of Cloudflare, Inc. in the U.S. and other jurisdictions. All other marks and names referenced herein may be trademarks of their respective owners.