London, UK – 24^th September, 2024 – Cloudflare, the leading connectivity cloud company, today announced a new service to verify the integrity of public keys in the end-to-end encryption of popular messaging applications. When using end-to-end encryption messaging applications, a public-private key exchange encrypts messages to protect against an outside party intercepting messages. Now, Cloudflare is taking the burden off security-minded users that have previously had to manually verify public keys with their contacts.

By automatically checking that public keys haven't been tampered with, Cloudflare is helping to build trust that end-to-end encrypted messages are delivered to the intended recipients. WhatsApp has long partnered with Cloudflare for security verifications and is again the first to implement this new auditing process to strengthen users' trust in the application.

End-to-end encryption (E2EE) is a type of encryption that keeps messages private from everyone, including the actual messaging service itself. With end-to-end encryption, messages are only visible to the sender and the intended recipient.

When someone sends a message, it is encrypted on their device before it is transmitted over the Internet. This means that the message is scrambled so that only the recipient's device can decode it. Because the message is encrypted, even WhatsApp cannot read its contents. When the message arrives on the recipient's device with a matching public key, it is decrypted back into its original form so that the recipient can read it. Many services offer a security key verification, which helps ensure users are indeed chatting with the intended recipient.

While verification of E2EE messaging infrastructure is most salient for security-conscious users like journalists, activists, and human rights defenders, it is recommended for everyone. Security-conscious users can manually verify the security of their conversation by checking a contact's QR code via an alternative communication method. This verification should be done regularly, whenever a contact gets a new device, or to verify that the messaging app itself did not change or alter the keys.

Introducing Plexi, an auditor for key Transparency infrastructure

Cloudflare has now introduced Plexi, an auditor for Key Transparency infrastructure. Key Transparency is an emerging standard designed to ensure the authenticity of encryption keys used in end-to-end messaging. It helps verify that the keys on both ends of the communication are legitimate, enabling secure message reception and reading. Cloudflare can now act as an auditor to this technology, by verifying that the logs of these keys are constructed correctly and providing an audit signature that the messaging app can then pass on to users to improve trust in the system. Cloudflare is proud to partner with WhatsApp to serve as an auditor to their open-sourced Auditable Key Directory (AKD).

"At-risk organiSations, journalists, and activists regularly rely on Cloudflare to secure their websites, emails, and traffic. We're already trusted by millions of organisations and customers, and being an external auditor to end-to-end encrypted messaging apps is a natural extension of those values and our technology," said Matthew Prince, co-founder and CEO, Cloudflare. "Establishing this verification process with WhatsApp sets a high bar for other messaging apps to follow suit."

"We're excited to partner with Cloudflare to further strengthen Key Transparency on WhatsApp and help reaffirm for users that their encrypted session is secure," said Nitin Gupta, Head of Engineering, WhatsApp. "This partnership with Cloudflare will make it even easier for users to verify the authenticity of their chats.

Independent researchers and security experts can read the technical blog at https://blog.cloudflare.com/key-transparency for a deeper understanding on how the verification system is built and review the results of the proof verification published at https://dash.key-transparency.cloudflare.com. Cloudflare is interested in helping audit the integrity of all types of end-to-end encrypted infrastructure; companies or organizations interested in an audit can reach out at https://www.cloudflare.com/lp/privacy-edge/.

To learn more, please check out the resources below:

• Technical Blog: Cloudflare partners with WhatsApp to audit public key infrastructure
• Join us online for demos, product announcements, and more at our first Builder Day Live Stream on September 26 at 11am PT. Register at builderday.pages.dev.