SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Cloudflare & WhatsApp collaborate on key verification service

Fri, 27th Sep 2024

Cloudflare has announced Plexi, a service aimed at verifying the integrity of public keys in the end-to-end encryption used by popular messaging applications. WhatsApp will be the first to implement this new auditing process, which is designed to strengthen user trust in the application's encryption methods.

Public key transparency and auditing are becoming increasingly important in ensuring the security of encrypted communications. Much like how certificate transparency is used to ensure the integrity of digital certificates that encrypt web traffic, Cloudflare hopes that its new service will make public key verification a seamless and automatic process for end-to-end encrypted (E2EE) systems. This removes the need for users to manually verify public keys by other means, such as scanning QR codes.

Matthew Prince, co-founder and CEO of Cloudflare, emphasised how the introduction of Plexi aligns with their broader mission of improving security across the internet. "At-risk organisations, journalists, and activists regularly rely on Cloudflare to secure their websites, emails, and traffic. We're already trusted by millions of organisations and customers, and being an external auditor to end-to-end encrypted messaging apps is a natural extension of those values and our technology," he said. "Establishing this verification process with WhatsApp sets a high bar for other messaging apps to follow suit."

End-to-end encryption keeps messages private by rendering them indecipherable to anyone other than the intended recipient. Once a message is encrypted on the sender's device, it remains scrambled until it reaches the recipient's device, which holds the corresponding public key to decipher the message. This encryption method prevents even the service provider from accessing the message content.

Key Transparency, the technology underpinning Plexi, ensures the authenticity of these encryption keys, aiding in the proper transmission of encrypted messages. Cloudflare's role as an auditor involves verifying logs of these keys and providing audit signatures to confirm their legitimacy. This process will help bolster the security of the overall message delivery system, ensuring that messages reach their intended recipients unaltered.

Nitin Gupta, Head of Engineering at WhatsApp, expressed enthusiasm about the partnership with Cloudflare. "We're excited to partner with Cloudflare to further strengthen Key Transparency on WhatsApp and help reaffirm for users that their encrypted session is secure," he stated. "This partnership with Cloudflare will make it even easier for users to verify the authenticity of their chats."

Security-conscious users, including journalists, activists, and human rights defenders, are often advised to manually verify their contacts' security keys. However, the implementation of Plexi aims to simplify this process by providing automatic verification, thereby enhancing user trust in E2EE communications without any additional steps.

WhatsApp's active collaboration with Cloudflare in implementing this technology will set a precedent for other messaging applications. By making key verification more straightforward, users will have an easier time ensuring their communications remain private and secure, a critical consideration in today's digital landscape.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X