Zoom To Launch End-to-End Encryption For All Users -- Not Just Paid Accounts (blog.zoom.us) 39
Weeks after Zoom said it will offer end-to-end encryption to only paying customers -- a move that was received poorly by several privacy and security advocates, the popular video calling software said on Wednesday it is making some amendments: We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE (end-to-end encryption) as an advanced add-on feature for all of our users around the globe -- free and paid -- while maintaining the ability to prevent and fight abuse on our platform. To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools -- including our Report a User function -- we can continue to prevent and fight abuse.
Re: (Score:1)
Re: (Score:1)
They'll still suck up to China (Score:1)
Wow! (Score:3)
Dumpster fire (Score:2)
Zoom sure looks like a Dumpster fire.
Re: Dumpster fire (Score:1)
In other words... (Score:2)
Re: (Score:2)
There's so many weasel words in that press release it blows the mind.
"This will enable us to offer E2EE (end-to-end encryption) as an advanced add-on feature for all of our users around the globe "
And why is it not on by default? Why?
Re: (Score:2)
Additionally: "Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. "
This isn't for anti-abuse. It's to have something to give to LEO (Law Enforcement.)
Re: (Score:3)
No. It's for them to collect more personal information on you. They won't know what was said during the call since it will be encrypted (isn't it?), but at least, they'll know who (what phone number) was connected.
Either you want to help LEO, and you don't encrypt, or you value privacy, and you don't ask for useless personal information such as a phone number. I don't see any reasons to sit on the fence.
Re: (Score:1)
Algorithm (Score:1)
Rumors are, they will use a strong proven algorithm with a 256 bit key.
The proven algorithm is known to have little impact on performance. It is called XOR. And as we all know, all 3-letter acronyms or companies are FANTASTIC.
Are we supposed to trust this? (Score:5, Interesting)
I personally will not trust an encryption scheme from a company that seems to have been bullied into it rather than fighting for it.
Re: Are we supposed to trust this? (Score:3)
This. They have a history of claiming security where none exists. Why believe them now?
Besides, who believes the can effectively implement end-to-end for meetings of more than two people?
Re: (Score:2)
Re:Are we supposed to trust this? (Score:5, Informative)
I don't think the GP's stance is unreasonable, given that...
- This is the company that up until recently had—and I wish I was kidding, but this actually happened—redefined "end-to-end encryption" in their documentation to mean something like "your traffic is encrypted on its way to and from us, but we're one of the 'ends' and can see everything". While that form of encryption is useful (it's actually called "transport encryption" and is used with HTTPS visits to sites, as an example), it is most certainly NOT end-to-end encryption. When they were confronted about it they doubled-down on their definition and said it was valid until enough public backlash built up.
- This is also the company with over 400 developers (which I'd like to take a moment to point out is an absolutely ludicrous number of developers for a product this size, even without the additional details I'm about to mention) based in mainland China, who has been caught routing calls—even calls between users in the same locality who have a Zoom server near them—to Zoom servers in mainland China.
- This is also also the same company that—just over two weeks ago at the instruction of "local authorities"—banned several US-based accounts after they hosted a conference call to commemorate the massacre at Tiananmen Square. That action, which was presumably requested by the Chinese Communist Party, was concerning enough to draw the attention of Washington, with several members of Congress reaching out just this week to formally demand that Zoom explain itself by the 26th.
So yeah, given their track record, ongoing practices, and willingness to work in and with an authoritarian regime that has an interest in snooping on traffic, I don't think it's at all unreasonable for someone to not give Zoom the benefit of the doubt here.
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I could not agree more. Who has the keys? If we don't know that, this is nothing but a marketing gimmick. And that goes for you too Facebook and Google and Microsoft and Apple and everyone else.
And keep in mind that truly secure E2EE is actually really hard to do in this sort of system. You have to have a server which both clients connect to in order to get introduced to one another, and that introduction is the point of weakness. Unless the two clients have some independent way of trusting one another (e.g. one of them has a signing key that the other one knows about from some out-of-band mechanism), the server can always MITM the connection. You can make the MITM process complicated and the atta
Re: (Score:2)
And who knows if they're holding a copy of the key for the CCP to investigate any suspicious meeting?
End to end is great, but it requires a lot of management to actually work. And given the way Zoom is, it's not entirely clear it's any better than sending it in the clear if everyone interested gets a hold of the keys to decrypt the stream anyways.
You know, in case someone talks
Re: (Score:2)
> that seems to have been bullied into it
If you've been following their communications for the past few months, it's actually quite the opposite. They were afraid of Bill Barr getting up in their craw if they gave it to everybody from the get-go. I had surmised that they would eventually get it out to everybody, in a quick dodge when nobody was paying attention (say after the election) because it's more expensive to maintain two infrastructures and encryption is cheap, but it appears that now they hav
Even if you are not a supporter of the protests... (Score:3)
You gotta give it credit, companies (and to a small extent the government) are actually responding to public outcry. I have never seen these type of reactions on this scale before. I honestly thought Zoom would give some mealy-mouth response and continue on without changing policy but behind the scenes they must have seen a drop off in users and people moving to other services in enough numbers to have them worried about losing the gains they have made.
Re: (Score:2)
Have we seen significant technical details regarding how this will be implemented, though? While I have taken a "let's give them a chance to show us" attitude with Zoom, they have used the term "end to end encryption" incorrectly before - so I want to see what they're actually doing before passing judgement.
Re: (Score:2)
https://github.com/zoom/zoom-e... [github.com] is a pretty good start IMO. In my day job that would get you a pass to a deeper architectural review, for sure.
Re: (Score:2)
Thank you!
Lip service (Score:2)
Talk is cheap. What kind of encryption is used? What size is the key? Can Zoom decrypt steams?
Re: (Score:2)
That is a very fair point. If they can decrypt the streams then they've done nothing of worth and do not understand the idea of "end-to-end". Their rapid growth and this situation has them in the spotlight so with any luck they will draw the eyes of enough security professionals to at least try to get it right.
Re: (Score:2)
You gotta give it credit, companies (and to a small extent the government) are actually responding to public outcry.
No you really don't. You don't give credit for a truly shitty company with outright shitty policies (we're not talking about bugs or low level decisions here, but active policy of a company) simply because they caved under pressure. We're also not going "give credit" to police departments who become less racist, we don't "give credit" to MS for open sourcing the windows calculator.
You give credit to companies and people who actually behaved well while others abused their positions for their own gain. When $
Re: (Score:2)
I was giving credit to the protesters and online groups of people who are pushing these companies, not the companies themselves or the police departments. Just saying we've seen public outcry before with little results and now we are seeing the needle move, if slowly and not enough yet. People are unified in a way about these issue that companies are taking notice and seem to be a bit scared like they haven't before.
Why? (Score:2)
To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.
Why is personally identifiable information needed for end-to-end encryption? I assume it's not technically needed, so what is the business justification? It's not clear whether the lack of end-to-end encryption or the presence of personally identifiable information is worse for privacy.
It's also interesting that the PR couches the need for personally identifiable information as a protection for users.
Will this this end up being PR-positive for Zoom?
Re: (Score:3)
Because when Zoom gets a subpoena, they want to be able to turn over your information to Law Enforcement. It's as simple as that.
And I guarantee you that the E2EE has an escrowed key that Zoom has access to.
I would not trust their encryption. For starters, your client does not control the key. Zoom controls the key. In true E2EE, the moderator would generate the key at the start of the meeting, and the key would not be held by zoom.
From their whitepaper:
https://github.com/zoom/zoom-e2e-whitepaper/blob/maste
Re: (Score:3)
You are quoting the "Current system" portion of that document. It then goes on to state the new system they are implementing to get End2End encryption (I guess this is done now but only for commercial clients). That has the quote "every Zoom application generates it's own public/private key pair". Whether what is described is actually secure I don't know, but quoting the wrong section is misleading.
Re: (Score:1)
To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.
Why is personally identifiable information needed for end-to-end encryption? I assume it's not technically needed, so what is the business justification? It's not clear whether the lack of end-to-end encryption or the presence of personally identifiable information is worse for privacy.
It's also interesting that the PR couches the need for personally identifiable information as a protection for users.
Will this this end up being PR-positive for Zoom?
It's so the CCP can track down dissents^W citizens who need some additional training.
And don't believe for a moment that Beijing isnt' going to have the decryption keys. Whether Washington gets them depends on whether Zoom pulls an Apple and gripes and moans about "rule of law" and "user privacy".
Easier to do (Score:2)
And decription... (Score:2)
End to end encryption doubtful (Score:2)
I suspect it will not really be end-to-end encryption. You almost can't do end-to-end encryption. The video has to be manipulated by the server to change bit rate or resolution for different recipients.
So it will be encrypted in transport, but decrypted at the server.