The Security Behind Wire: How Wire Keeps Your Communication Private and Protected

In a digital world where privacy and security are constantly under threat, choosing the right communication platform is crucial. Wire stands out as a robust, enterprise-grade messenger, purpose-built for end-to-end protection and transparency. Whether you’re a business leader, privacy advocate, or curious user, understanding the security mechanisms behind Wire helps foster trust and informed decision-making. Here’s a deep dive into how Wire safeguards every message, call, and file so you know your data stays yours.

Open Source Transparency: Powered by the Community

• All security-critical components are open source under a GPLv3 license. Anyone can inspect, audit, and build both the clients and backend from source.
• Reproducible builds ensure that public binaries match the published source, building trust that no unwanted changes exist.

This openness isn’t just a feature—it’s the bedrock of trust, enabling independent security reviews and fast vulnerability fixes.

End-to-End Encryption: Your Data, Your Eyes Only

Everything you send or receive on Wire is end-to-end encrypted (E2EE):

• Only the intended recipients (on their verified devices) can decrypt messages, calls, and files.
• Wire never has the keys to decrypt your conversations, regardless of infrastructure—public cloud, on-premises, or air-gapped deployments.

Dual Protocol Support

1. Proteus (based on the Axolotl/Double Ratchet protocol):
   • Strong modern cryptography: ChaCha20 for encryption, X25519 for key exchange, Ed25519 for signatures.
   • Each device maintains its own set of key pairs, enabling secure communication even while offline.
   • Provides forward secrecy and post-compromise security.
2. MLS (Messaging Layer Security):
   • Industry standard for secure group messaging at scale.
   • Key derivation trees ensure instant revocation of group members.
   • Uses strong cipher suites; enables secure conferencing and cross-organizational communication.

Identity Management and Verification

Device and User Identity

• Each device generates its own cryptographic identity key pair.
• Wire supports multiple devices per user, with unique identity and notification for new device registrations.
• Verification is manual (Proteus) or automatic with X.509 certificates (MLS).

End-to-End Identity Verification with ID Shield

• Uses a private PKI: Each device is assigned an X.509 certificate.
• Automated enrollment and regular renewal ensure continued strong identity guarantees.
• Revoked or expired certificates degrade verification status, alerting participants.

Authentication, Authorization, and Account Security

• Passwords are hashed securely—never stored as plaintext (scrypt or argon2id).
• Single Sign-On (SSO) via SAML or OIDC integrates with enterprise identity providers.
• Two-Factor Authentication (2FA) for sensitive operations.
• Session tokens are short-lived and cryptographically signed; longer-lived tokens have strict expiry and usage controls.

Asset Security: Files and Media

• Files are encrypted with random AES-256 keys before upload.
• Asset keys are end-to-end encrypted with messaging protocols, so only intended recipients can decrypt.
• Files remain safe—even if storage is breached, encrypted keys are required for decryption.

Voice and Video Calls: Secured by WebRTC, DTLS, and SRTP

• All calls are routed through E2EE sessions.
• SRTP protocol with keys exchanged via DTLS 1.2 ensures secure audio/video streams.
• Relays (TURN servers) only see encrypted packets and no user identities.

Federation: Secure Cross-Organizational Communication

• Federated domains are explicitly allowlisted; no unwanted cross-organization messages.
• All traffic is mutually authenticated and encrypted with X.509 certificates via mTLS.
• Each organization manages its own root/intermediate CA for maximum trust and control.

Additional Security Features

• App lock: Passcode or biometrics required before viewing messages.
• Backup encryption: User-defined, memory-hard key derivation and encryption (Argon2i, XChaCha20-Poly1305).
• Legal hold: Admin-managed compliance devices transparently retain message copies.
• Ephemeral messages: Self-deleting for convenience, but not primary protection—residual artifacts may exist on device storage.

Mitigation Against Attacks

• Key pinning: TLS server identity is verified by known public key pins.
• Rate and attempt limits: Throttles and timeouts for registration, password resets, authentication.
• Comprehensive logging and alerting: Notifies admins and users about suspicious actions like new device registrations.

Commitment to Privacy and Compliance

• Wire is GDPR-ready, with detailed documentation for privacy and compliance needs.
• Identical security for all backend deployments: cloud, private, or air-gapped.

Conclusion: Security You Can Verify, Not Just Trust

Wire’s reputation for security is rooted in transparency, open review, and uncompromising cryptography. Whether you’re sending sensitive business documents, holding confidential meetings, or building a secure compliance environment, Wire gives you full control over your data.

Trust is built on transparency, open review, and best-in-class cryptography—the very foundation of Wire.

Download our Security Whitepaper for a deeper technical dive:
Download the Security Whitepaper