The fact that they show end users (no pun intended) an "end-to-end encrypted" badge on the meeting window itself, and elsewhere explain how a Zoom server (not Zoom client) is what constitutes an "end" despite the whole rest of the electronic communication industry using "end-to-end" to refer exclusively to user agents, is bonkers.
Agreed. It's unlikely they stumbled onto an industry standard phrase like that alone, then innocently used it without knowing the generally accepted meaning. This is deceptive advertising.
Not defending zoom here -- they done fucked up -- but there is a huge disconnect between the marketing folks and the technical folks. It's possible that E2E Encryption was something they planned on implementing but haven't, and the marketing department either didn't get the memo or didn't understand and still kept the wording.
> To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.
The first problem is:
> Zoom currently maintains the key management system for these systems in the cloud.
Obviously, this compromises many of the benefits of e2e encryption. Having said that, it doesn't remove all of the benefits, and it's a (bad) precedent that has been set by other companies (eg. apple) where keys for end-to-end encrypted communication are backed up to the cloud.
The second problem is that Zoom has a second class of "client" called a "Connector" which runs in the cloud, and also has access to the keys for decrypting the stream. I definitely think that when one of these connectors is being used, it is false advertising to show the "e2e encrypted" status. However, there are clear technical reasons why these connectors are needed. Being able to dial into a meeting from an ordinary phone is important functionality that simply cannot support end-to-end encryption.
The interesting section to me is the later paragraph:
> For those who want additional control of their keys, an on-premise solution exists today for the entire meeting infrastructure, and a solution will be available later this year to allow organizations to leverage Zoom’s cloud infrastructure but host the key management system within their environment. Additionally, enterprise customers have the option to run certain versions of our connectors within their own data centers if they would like to manage the decryption and translation process themselves.
In particular, being able to use your own key management system would make this truly end-to-end encrypted by any definition, even if you are still using Zoom's cloud infrastructure.
> other companies (eg. apple) where keys for end-to-end encrypted communication are backed up to the cloud
Backed up for iCloud users who might not know any better, but not backed up for people who take the time to learn how to guarantee the full protection of E2E by keeping iCloud off. The fact that the full benefit is available with little effort, albeit not obvious, creates a contrast to how:
> Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes
...but they easily could. Users can't just search for how to harden the Zoom encryption to the point of lawful intercept becoming impossible and find a simple solution the way they can with Apple.
> an on-premise solution exists today for the entire meeting infrastructure
...is not practical for most.
So, eliminating the E2E badge was the right move. The fact that it was there until now is shady.
They are using the same language as Apple talking about iMessage and FaceTime. Apple talks about end to end encryption, but one end is iCloud which is why you can get your messages simultaneously on all devices.
There is a big difference there though. In transit, iMessage and FaceTime backups are end-to-end encrypted, it's just the iMessage backups on iCloud that also store the key.
FaceTime chats, though, truly are end-to-end encrypted and the calls aren't backed up like iMessages are.
That's not true at all. iMessage is really end-to-end encrypted.
Two options impact it: "Messages in iCloud" re-encrypts and uploads messages to the user's iCloud account and stores the key in iCloud Keychain (also end-to-end encrypted).
Only when enabling iCloud backup will that key be revealed to Apple.
This is not true. Don't spread FUD. Apple does not have the ability to read your messages. All messages stored on their servers are encrypted with keys that live only on the phone.
iMessage doesn't store your decryption keys on Apple's servers unless you opt into iCloud backup which is a whole different service and security concern.
Zoom is such a bizarre product. For huge video calls, it tends to perform as well or better than everything else out there. Yet at the same time it literally seems like straight-up malware and seems to violate your trust and privacy left and right every step of the way, even in the installer (!).
To be fair it does perform better than everything else, which is why people are so forgiving of it, but it still doesn't excuse their ineptitude on privacy and security.
In my experience Google's Hangout Meetings have been at least as good or better quality and the interface is far superior in my opinion. For example it works in the browser without any plugins (even in Firefox.)
It was one of the fastest-growing SAAS companies before coronavirus hit despite all the free competition.
The reason? "It just works."
It's clear their singular focus on making it "just work" for even the least tech-savvy users has led them to prioritise user experience over security/privacy. I imagine a rebalancing is coming.
The age old question: is it bad because there are bad actors involved or is it bad because it's new and cheap and the maker views security etc as a Nice to Have.
The problem with Zoom isn't, that it doesn't have end-to-end encryption. If you consider the problem, it is extremely difficult to solve, as in contrast to a 1:1 video call, the server somehow has to to multiplex the streams and thus at least some access to them. With a trustworthy provider, this isn't a big issue. A trustworthy provider will have a clear policy which ensures that only the multiplexer has access to the unencrypted data. After all, you are running a proprietary client from that provider, and each client of course has access to all unencrypted data.
The problem is, that the actions of Zoom doesn't make them look like a trustworthy provider. They lied about the end-to-end encryption. What they should have done instead is to be transparent on how unencrypted data is used on their servers and what their protocols are to prevent unauthorized access to that data. Which is especially important in a business context, because the business users themselves have confidentiality agreements, they need to guarantee and using an external provider for confidential data required that provider passing the neccessary scrutiny.
And of course, the huge pile of security issues coming up with their client, the web server, the mac installer, the script host, give any reason to believe that they either don't know what they are doing or completely reckless at least. And the term "reckless" doesn't fit in a conversation about security :).
No. "End-to-end encryption" does not protect metadata necessary to route the data over a network, just the contents of the communication. The clients could negotiate keys to protect the contents of a meeting end-to-end. In other words, Zoom servers could deduce who was speaking, when they spoke, and for how long, but not what they said.
Your internet service provider can deduce the same about your HTTPS connections.
> The clients could negotiate keys to protect the contents of a meeting end-to-end.
Not really because Zoom makes fairly extensive use of the decrypted video streams on their servers, e.g. to detect who is talking, pause video for people with slow connections, etc. You could maybe do it for meetings with a few people in, but good luck doing it for meetings with 100 people.
Hell the cryptography of group end-to-end encryption hasn't really been worked out yet. WhatsApp doesn't do it and that's just for text. I'm pretty sure Signal doesn't either.
There's really nothing bad with not having end-to-end encryption for group video conferencing apps. The shitty thing is that they pretended that they did.
The server does not have to decrypt or process the video, it can just send the same encrypted video to other clients (or you can use p2p communication without a server involved).
There may be advantages to processing video at the server, but it's definitely not a hard requirement.
The problem is the required bandwidth, if you send all streams to all participients. If you do that, you can do end-to-end encryption, but you have to send all streams at the maximum resolution you want to support. If the server handles the mixing, each client only needs to be send one full-resolution stream.
Matrix/Riot, Jitsi, and Signal seem to have handled E2EE voice/video pretty well while being FOSS (the first of which is a free/open protocol as well as a client).
That's the right thing to do. If SpaceX is important to national security, then Zoom security and privacy is so bad, that a bad actor could steal SpaceX technology.
At my previous job, we used to dial in random zoom numbers and entered into random conversations of other companies. Once we landed into a Facebook call where they were talking about Libra (before it was a thing).
If you turn of camera and video, the host doesn't even know you're there unless they check guest list.
I looked into adding Zoom to our Slack workspace this morning, and was beside myself with the set of permissions they requested — reading the contents of every channel and private chat they're included in? For a slash command?
That's a hard no. Turned me off the service entirely.
> reading the contents of every channel and private chat they're included in? For a slash command?
This may improve soon. Slack is starting to force apps to request granular permissions (vs a big-tent "bot" scope like before) and when you submit to their store, they vet each permission and verify what you're using it for. They don't let you request permissions "just because" in my experience.
It works, but it burns through so much CPU your computer will be a gibbering mess. There's some pretty silly inefficiencies going on, for example; if you switch away to another window, they display a small video player while keeping the big one running the background. Each time you switch into screen sharing mode, they drag you back to the app again. If you draw on the screen, someone has screwed up their linear algebra so you end up seeing double with an extra copy of what you're drawing, in totally the wrong place.
Annoyingly it's a bit too convenient, so going out of band is a pain.
It works great for 1:1 and small group conversations, but its max meeting size (15 people I think) is an immediate disqualifier. We regularly have hundreds of people on Zoom calls with no issues.
YMMV, but for me ut turns my computer into a simulation of a space heater even when I'm not sharing my screen, and those gigantic unhidable toolbars makes me feel like I'm playing whack a mole more than working a times.
Oh, and yes,I "almost forgot" ! How to they even physically manage to get multiple seconds latency at times, when everyone in the call is in the same city, and where the worst connection on the call is at about 20Mbit? Are they just buffering for the heck of it, why not simply drop some frames if you get behind?
We have Zoom on our Slack workspace and we'd remove it immediately if this were the case, but it appears to be false. The full list of permissions required by the official Zoom Slack integration is at www.slack.com/apps/A5GE9BMQC-zoom, and doesn't have read access to any channels, private or public, except for "some URLs in messages".
I feel very conflicted on Zoom. It mostly just works and on every platform, even Linux. My kids use it to do their music lessons now. It really is very good at what it does in a time when such solutions are needed. Also they responded to the mobile facebook sdk issue and the macos issue quickly.
But I agree the way they suggest it is end to end encrypted is misleading. I don't think it really can be end to end to get the performance and features. People just need to see each other at the moment. You can do anything sensitive with more secure communication. But it clearly doesn't belong in any place discussing technology with military applications.
I still think it is solid for my kids to keep up with their lessons or for a weekly meeting about some web development. There are genuine criticisms of Zoom at the moment that need to be taken seriously but there is likely also some negative media being generated from their competition that are missing out.
They did not address the OSX issue for ages. They claimed it was intentional and a valuable feature for customers. In the end Apple had to release a security update to remove the web server.
So what's a good open source replacement? Jitsi, Jitsi Meet, Linphone, Ekiga, Jami and a bunch of others look okay [1], but it's hard to say how easy they are to use.
I've used Jitsi Meet with ordinary (that is, non-IT) people without trouble.I've also recommended it to elementary school teachers, who have been happy with it. It works with desktop browser, on mobile it offers a minimal app installation. Self-hosting is quite easy with their apt repo.
Came to say the same thing. Zoom is impossible if you are considered part of the DoD supply chain. Most of the public products are untenable if you need to talk about ITAR projects or about anything considered CUI.
Even if they weren't supplying the DoD with anything, rocket technology is missile technology. (Granted, liquid fueled ICBMs are old-school, but they'd nevertheless still be under ITAR even if they took no government contracts.)
Readit News
Deleted Comment
> To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.
The first problem is:
> Zoom currently maintains the key management system for these systems in the cloud.
Obviously, this compromises many of the benefits of e2e encryption. Having said that, it doesn't remove all of the benefits, and it's a (bad) precedent that has been set by other companies (eg. apple) where keys for end-to-end encrypted communication are backed up to the cloud.
The second problem is that Zoom has a second class of "client" called a "Connector" which runs in the cloud, and also has access to the keys for decrypting the stream. I definitely think that when one of these connectors is being used, it is false advertising to show the "e2e encrypted" status. However, there are clear technical reasons why these connectors are needed. Being able to dial into a meeting from an ordinary phone is important functionality that simply cannot support end-to-end encryption.
The interesting section to me is the later paragraph:
> For those who want additional control of their keys, an on-premise solution exists today for the entire meeting infrastructure, and a solution will be available later this year to allow organizations to leverage Zoom’s cloud infrastructure but host the key management system within their environment. Additionally, enterprise customers have the option to run certain versions of our connectors within their own data centers if they would like to manage the decryption and translation process themselves.
In particular, being able to use your own key management system would make this truly end-to-end encrypted by any definition, even if you are still using Zoom's cloud infrastructure.
Backed up for iCloud users who might not know any better, but not backed up for people who take the time to learn how to guarantee the full protection of E2E by keeping iCloud off. The fact that the full benefit is available with little effort, albeit not obvious, creates a contrast to how:
> Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes
...but they easily could. Users can't just search for how to harden the Zoom encryption to the point of lawful intercept becoming impossible and find a simple solution the way they can with Apple.
> an on-premise solution exists today for the entire meeting infrastructure
...is not practical for most.
So, eliminating the E2E badge was the right move. The fact that it was there until now is shady.
FaceTime chats, though, truly are end-to-end encrypted and the calls aren't backed up like iMessages are.
Two options impact it: "Messages in iCloud" re-encrypts and uploads messages to the user's iCloud account and stores the key in iCloud Keychain (also end-to-end encrypted).
Only when enabling iCloud backup will that key be revealed to Apple.
Dead Comment
iMessage doesn't store your decryption keys on Apple's servers unless you opt into iCloud backup which is a whole different service and security concern.
https://support.apple.com/guide/security/how-imessage-sends-...
The reason? "It just works."
It's clear their singular focus on making it "just work" for even the least tech-savvy users has led them to prioritise user experience over security/privacy. I imagine a rebalancing is coming.
Deleted Comment
The problem is, that the actions of Zoom doesn't make them look like a trustworthy provider. They lied about the end-to-end encryption. What they should have done instead is to be transparent on how unencrypted data is used on their servers and what their protocols are to prevent unauthorized access to that data. Which is especially important in a business context, because the business users themselves have confidentiality agreements, they need to guarantee and using an external provider for confidential data required that provider passing the neccessary scrutiny.
And of course, the huge pile of security issues coming up with their client, the web server, the mac installer, the script host, give any reason to believe that they either don't know what they are doing or completely reckless at least. And the term "reckless" doesn't fit in a conversation about security :).
Your internet service provider can deduce the same about your HTTPS connections.
Not really because Zoom makes fairly extensive use of the decrypted video streams on their servers, e.g. to detect who is talking, pause video for people with slow connections, etc. You could maybe do it for meetings with a few people in, but good luck doing it for meetings with 100 people.
Hell the cryptography of group end-to-end encryption hasn't really been worked out yet. WhatsApp doesn't do it and that's just for text. I'm pretty sure Signal doesn't either.
There's really nothing bad with not having end-to-end encryption for group video conferencing apps. The shitty thing is that they pretended that they did.
Deleted Comment
There may be advantages to processing video at the server, but it's definitely not a hard requirement.
At my previous job, we used to dial in random zoom numbers and entered into random conversations of other companies. Once we landed into a Facebook call where they were talking about Libra (before it was a thing).
If you turn of camera and video, the host doesn't even know you're there unless they check guest list.
That's a hard no. Turned me off the service entirely.
This may improve soon. Slack is starting to force apps to request granular permissions (vs a big-tent "bot" scope like before) and when you submit to their store, they vet each permission and verify what you're using it for. They don't let you request permissions "just because" in my experience.
Annoyingly it's a bit too convenient, so going out of band is a pain.
Oh, and yes,I "almost forgot" ! How to they even physically manage to get multiple seconds latency at times, when everyone in the call is in the same city, and where the worst connection on the call is at about 20Mbit? Are they just buffering for the heck of it, why not simply drop some frames if you get behind?
Dead Comment
* View some URLs in messages
* View messages and other content in public channels, private channels, direct messages, and group direct messages that Zoom has been added to
* View basic information about direct and group direct messages that Zoom has been added to
* View basic information about public channels in your workspace
* View basic information about private channels that Zoom has been added to
* View files shared in channels and conversations that Zoom has been added to
* View pinned content in channels and conversations that Zoom has been added to
* View messages and files that Zoom has starred
* View emoji reactions and their associated content in channels and conversations that Zoom has been added to
But I agree the way they suggest it is end to end encrypted is misleading. I don't think it really can be end to end to get the performance and features. People just need to see each other at the moment. You can do anything sensitive with more secure communication. But it clearly doesn't belong in any place discussing technology with military applications.
I still think it is solid for my kids to keep up with their lessons or for a weekly meeting about some web development. There are genuine criticisms of Zoom at the moment that need to be taken seriously but there is likely also some negative media being generated from their competition that are missing out.
[1] https://en.wikipedia.org/wiki/Comparison_of_VoIP_software
Deleted Comment