Discord announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE).
The implementation was completed in March. Extensive at-scale testing has given Discord the confidence to formally announce the E2EE deployment now, and to start removing client code that supports unencrypted fallback.
Discord is a popular online platform that offers text chat, voice calls, video calls, livestreaming, and community servers for gaming, creators, businesses, and interest-based groups.
It is estimated to have 690 million registered users and more than 200 million monthly active users worldwide.
The migration to E2EE was achieved by extending the open-source encryption protocol DAVE to support all platforms where Discord clients run, including desktop, mobile, web browsers, PlayStation, Xbox, and Discord SDKs.
The encryption layer now covers DMs, group DMs, voice channels, and Go Live streams. Stage channels remain the only exception because they are designed for large public broadcasts rather than private conversations.
“End-to-end Encryption is now standard for every voice and video call on Discord, outside of stage channels. No opt-in required.” – Discord
DAVE was first introduced in September 2024, developed with assistance and auditing from Trail of Bits, to secure audio and video calls, group chats, voice channels, and Go Live streams on the platform.
The protocol leverages WebRTC encoded transforms, Messaging Layer Security (MLS) for scalable group key exchanges, and ephemeral identity keys to enhance privacy while minimizing call disruptions and latency when participants join or leave sessions.
Discord underlines the technical challenges of extending DAVE availability to all supported platforms and achieving low-latency levels that should make the migration unnoticeable for users.
One example highlighted in the report is a compatibility issue with Firefox. Instead of implementing a workaround or limiting browser support, Discord engineers worked with Mozilla to resolve the problem.
Regarding the possibility of DAVE being extended to cover text-based communications on the platform, Discord says there are currently no plans for such a move.
The reason is that major engineering challenges would obstruct such an endeavor, given that Discord’s text features were built from the ground up around non-encrypted messaging assumptions.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.