Cloudflare has made its video calling app, Orange Meets, available with end-to-end encryption (E2EE) and open-sourced the solution for transparency. The move aims to provide strong cryptographic assurances for research or prototyping contexts.
Orange Meets uses Messaging Layer Security (MLS), a group key exchange protocol standardized by the IETF. This enables continuous group key agreement, supporting secure group key exchange, forward secrecy, post-compromise security, and scalability. The encryption is handled entirely on the client side using WebRTC, with Cloudflare or the Selective Forwarding Unit acting as forwarding intermediaries that do not access sensitive data.
The app features a “Designated Committer Algorithm” for dynamic group membership changes, which securely governs MLS updates. Each video conferencing session displays a “safety number,” allowing participants to verify the group’s cryptographic state outside the platform and preventing “Monster-in-the-Middle” attacks.
While Orange Meets is not yet a polished consumer product, it offers a technical showcase for developers interested in integrating MLS or cryptography. The app does not require installation, with a live demo available online, or can be set up by users using the source code on GitHub.
However, some experts question the adoption of MLS without comparison to other encryption layers, such as Signal. They suggest that the lack of clear justifications and technical explanations may indicate an attempt to obfuscate concerns about its advantages over existing alternatives. The Big Tech backing of this protocol raises questions about potential implications for users’ security and privacy.
Source: https://www.bleepingcomputer.com/news/security/cloudflare-open-sources-orange-meets-with-end-to-end-encryption