238/68 Tuesday, July 1, 2025
Cloudflare has launched an End-to-End Encryption (E2EE) feature for its video calling platform Orange Meets and released the source code as open source to promote transparency and allow developers, researchers, and security professionals to freely study or build upon the platform. Orange Meets was originally developed as a demo project under Cloudflare Calls (now renamed Realtime), and the latest version introduces advanced group-level encryption capabilities.
The E2EE system in Orange Meets is built upon the IETF’s standard Messaging Layer Security (MLS) protocol, which is designed for secure group key exchanges. The platform is written in the Rust programming language and supports key security features such as Forward Secrecy, Post-Compromise Security, and Scalability. All encryption is handled on the client side using WebRTC technology, with Cloudflare and the Selective Forwarding Unit (SFU) only relaying data — without any access to the content of the communication.
To further enhance security in dynamic group environments where participants may frequently join or leave, Cloudflare developed a Designated Committer Algorithm. This mechanism assigns one participant in the group the responsibility of managing MLS updates and displaying a Safety Number so that users can verify their shared encryption status securely, helping prevent Monster-in-the-Middle (MitM) attacks. The company also used the TLA+ specification language to mathematically model and verify the protocol’s correctness under all possible conditions.
While Orange Meets is not yet as feature-complete as commercial solutions like Zoom or Signal, it stands out as a high-potential security prototype, suitable for academic research, proof-of-concept testing, or future development of secure communication solutions. Users can try it directly via the online demo or download the source code from GitHub for self-hosted deployment.
