Cloudflare has taken a bold step towards privacy-centric communications by integrating end-to-end encryption (E2EE) into its open-source video calling app, Orange Meets. Originally launched in 2024 as a demo for Cloudflare Realtime (previously Cloudflare Calls), Orange Meets showcased scalable WebRTC-based group video calls using Selective Forwarding Units (SFUs). However, while SFUs improve performance by routing media streams efficiently, they have historically created privacy gaps, as unencrypted audio and video streams pass through them.
Embracing MLS for secure, scalable connections
To close these privacy gaps, Cloudflare has adopted Messaging Layer Security (MLS) – an IETF-standardized protocol designed for secure group communications. This implementation is crucial because MLS enables forward secrecy, post-compromise security, and dynamic group membership without demanding that users send individual encrypted copies to each participant. Instead, Orange Meets encrypts each frame on the client side using Rust and WebAssembly (WASM) before transmitting it, ensuring the SFU only handles encrypted data.
By integrating MLS, Cloudflare combines strong encryption with the performance benefits of SFUs, allowing group calls to remain smooth and scalable while maintaining strict privacy standards.
Managing group dynamics with confidence
One of the toughest challenges in group E2EE is handling participants as they join or leave calls. Cloudflare introduced an elegant “Designated Committer” algorithm, where a specific participant coordinates group state updates during membership changes. If this person disconnects, the role seamlessly transfers to another participant.
To ensure the robustness of this approach, Cloudflare formally verified the algorithm using TLA+, a specification language for modeling complex systems. This thorough verification reduces the risk of race conditions or unforeseen vulnerabilities, underscoring Cloudflare’s commitment to responsible security engineering.
Prioritizing user verification and authenticity
Orange Meets also implements cryptographic safety numbers, a user-friendly mechanism similar to those used in secure messaging apps like Signal. Each user sees a short code they can verify with others through an external channel, ensuring no malicious server is tampering with session keys. This safety-first approach empowers users to take ownership of their privacy, rather than placing blind trust in infrastructure providers.
Building an open-source foundation for secure communication
It’s important to note that Orange Meets is not a consumer-ready product. Its purpose is to serve as a developer-focused, open-source demonstration for cryptographers, researchers, and privacy engineers building E2EE-enabled real-time video systems. The project remains modular and transparent, allowing anyone to experiment, adapt, or contribute to its codebase via GitHub or its live demo.
Why this matters for the privacy and tech community
- Trailblazing MLS in real-time video
Orange Meets is among the first video calling tools to integrate MLS for scalable group encryption. Traditional E2EE approaches in video often struggled with performance overheads when many users joined; MLS elegantly resolves this limitation. - Strengthening privacy without sacrificing scale
Cloudflare proves that robust privacy doesn’t need to come at the cost of performance. By encrypting data client-side while retaining SFU efficiency, it combines the best of both worlds – security and speed. - Rigorous security validation
The team’s use of TLA+ to model and verify the Designated Committer algorithm reflects industry-leading diligence. This formal verification ensures the solution can stand up to real-world threats while remaining practical for implementation. - Empowering an open-source future
By making Orange Meets fully open-source, Cloudflare encourages innovation, transparency, and community trust. Security thrives when solutions are scrutinized, improved, and collectively owned.
Challenges and the journey ahead
Despite its promise, Orange Meets isn’t without limitations:
- Not consumer-ready yet: Its interface lacks the polish of mainstream apps like Zoom or Teams, and it is intended for prototyping rather than daily use.
- No third-party audits completed: While internal verification provides confidence, external audits are vital before any mission-critical adoption.
- User education remains key: Features like safety number verification, while powerful, may overwhelm less technical users. Clear, accessible design will be crucial for mass adoption.
- Future potential: Cloudflare has hinted at enhancements such as tamper-proof delivery (akin to WhatsApp’s Code Verify) and advanced identity verification using OpenPubkey, which could elevate Orange Meets from prototype to production-ready platform.
A purposeful step towards privacy-first communication
Cloudflare’s integration of end-to-end encryption into Orange Meets reflects a wider industry shift towards privacy-first communication tools. In a world where digital safety is non-negotiable, this project shows it is possible to achieve both performance and privacy without compromise.
For developers, researchers, and security advocates, Orange Meets is not just another app – it is an inspiring example of how rigorous engineering, open-source collaboration, and ethical design can create technologies that empower people to communicate freely and securely.
