Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Encryption Security

Zoom To Launch End-to-End Encryption For All Users -- Not Just Paid Accounts (blog.zoom.us) 39

Weeks after Zoom said it will offer end-to-end encryption to only paying customers -- a move that was received poorly by several privacy and security advocates, the popular video calling software said on Wednesday it is making some amendments: We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE (end-to-end encryption) as an advanced add-on feature for all of our users around the globe -- free and paid -- while maintaining the ability to prevent and fight abuse on our platform. To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools -- including our Report a User function -- we can continue to prevent and fight abuse.
This discussion has been archived. No new comments can be posted.

Zoom To Launch End-to-End Encryption For All Users -- Not Just Paid Accounts

Comments Filter:
  • So this effectively means nothing. It's just PR to cover for the fact that they're under the thumb of the Communist Party of China.
  • by hcs_$reboot ( 1536101 ) on Wednesday June 17, 2020 @11:47AM (#60193478)
    And all of that thanks to that Slashdot story [slashdot.org], amazing!
  • Zoom sure looks like a Dumpster fire.

  • "We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform." Translated: "We got caught trying to aid the CCP in their efforts to spy. Oops."
    • by netik ( 141046 )

      There's so many weasel words in that press release it blows the mind.

      "This will enable us to offer E2EE (end-to-end encryption) as an advanced add-on feature for all of our users around the globe "

      And why is it not on by default? Why?

      • by netik ( 141046 )

        Additionally: "Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. "

        This isn't for anti-abuse. It's to have something to give to LEO (Law Enforcement.)

        • No. It's for them to collect more personal information on you. They won't know what was said during the call since it will be encrypted (isn't it?), but at least, they'll know who (what phone number) was connected.
          Either you want to help LEO, and you don't encrypt, or you value privacy, and you don't ask for useless personal information such as a phone number. I don't see any reasons to sit on the fence.

          • by Alcari ( 1017246 )
            Exactly this. No, we don't know what [Citizen A] discussed with [Suspect B], but we know their phonenumber so.... now we know that [Citizen A] is John C. Doe, from Podunk, and we're going to have a chat with them. Grab the rubber hoses boys!
  • Rumors are, they will use a strong proven algorithm with a 256 bit key.
    The proven algorithm is known to have little impact on performance. It is called XOR. And as we all know, all 3-letter acronyms or companies are FANTASTIC.

  • by DigitAl56K ( 805623 ) on Wednesday June 17, 2020 @12:09PM (#60193598)

    I personally will not trust an encryption scheme from a company that seems to have been bullied into it rather than fighting for it.

    • This. They have a history of claiming security where none exists. Why believe them now?

      Besides, who believes the can effectively implement end-to-end for meetings of more than two people?

    • LOL...so basically there is NOTHING they can do from your perspective. If their product was not 100% designed morally right from the get go no amount of learning and improving will remove their sin. Man...you must be posting from a laptop and software that is entirely Richard Stallman approved.
      • by Anubis IV ( 1279820 ) on Wednesday June 17, 2020 @01:53PM (#60194016)

        I don't think the GP's stance is unreasonable, given that...

        - This is the company that up until recently had—and I wish I was kidding, but this actually happened—redefined "end-to-end encryption" in their documentation to mean something like "your traffic is encrypted on its way to and from us, but we're one of the 'ends' and can see everything". While that form of encryption is useful (it's actually called "transport encryption" and is used with HTTPS visits to sites, as an example), it is most certainly NOT end-to-end encryption. When they were confronted about it they doubled-down on their definition and said it was valid until enough public backlash built up.

        - This is also the company with over 400 developers (which I'd like to take a moment to point out is an absolutely ludicrous number of developers for a product this size, even without the additional details I'm about to mention) based in mainland China, who has been caught routing calls—even calls between users in the same locality who have a Zoom server near them—to Zoom servers in mainland China.

        - This is also also the same company that—just over two weeks ago at the instruction of "local authorities"—banned several US-based accounts after they hosted a conference call to commemorate the massacre at Tiananmen Square. That action, which was presumably requested by the Chinese Communist Party, was concerning enough to draw the attention of Washington, with several members of Congress reaching out just this week to formally demand that Zoom explain itself by the 26th.

        So yeah, given their track record, ongoing practices, and willingness to work in and with an authoritarian regime that has an interest in snooping on traffic, I don't think it's at all unreasonable for someone to not give Zoom the benefit of the doubt here.

        • by wagnerer ( 53943 )
          Even worse is they tried to 'roll their own' encryption. And naturally got it wrong. Even without the keys you could reconstruct recognizable video images given their bad implementation.
    • Indeed. What's even more insidious than lacking end-to-end encryption, is end-to-end encryption with a secret master key that they can turn over to certain countries (e.g. China). That tricks users into thinking that their communications is encrypted and safe, when in reality the encryption is useless against the government they're trying to protect themselves against.
    • I could not agree more. Who has the keys? If we don't know that, this is nothing but a marketing gimmick. And that goes for you too Facebook and Google and Microsoft and Apple and everyone else.
      • I could not agree more. Who has the keys? If we don't know that, this is nothing but a marketing gimmick. And that goes for you too Facebook and Google and Microsoft and Apple and everyone else.

        And keep in mind that truly secure E2EE is actually really hard to do in this sort of system. You have to have a server which both clients connect to in order to get introduced to one another, and that introduction is the point of weakness. Unless the two clients have some independent way of trusting one another (e.g. one of them has a signing key that the other one knows about from some out-of-band mechanism), the server can always MITM the connection. You can make the MITM process complicated and the atta

    • by tlhIngan ( 30335 )

      I personally will not trust an encryption scheme from a company that seems to have been bullied into it rather than fighting for it.

      And who knows if they're holding a copy of the key for the CCP to investigate any suspicious meeting?

      End to end is great, but it requires a lot of management to actually work. And given the way Zoom is, it's not entirely clear it's any better than sending it in the clear if everyone interested gets a hold of the keys to decrypt the stream anyways.

      You know, in case someone talks

    • > that seems to have been bullied into it

      If you've been following their communications for the past few months, it's actually quite the opposite. They were afraid of Bill Barr getting up in their craw if they gave it to everybody from the get-go. I had surmised that they would eventually get it out to everybody, in a quick dodge when nobody was paying attention (say after the election) because it's more expensive to maintain two infrastructures and encryption is cheap, but it appears that now they hav

  • You gotta give it credit, companies (and to a small extent the government) are actually responding to public outcry. I have never seen these type of reactions on this scale before. I honestly thought Zoom would give some mealy-mouth response and continue on without changing policy but behind the scenes they must have seen a drop off in users and people moving to other services in enough numbers to have them worried about losing the gains they have made.

    • Have we seen significant technical details regarding how this will be implemented, though? While I have taken a "let's give them a chance to show us" attitude with Zoom, they have used the term "end to end encryption" incorrectly before - so I want to see what they're actually doing before passing judgement.

    • Talk is cheap. What kind of encryption is used? What size is the key? Can Zoom decrypt steams?

      • That is a very fair point. If they can decrypt the streams then they've done nothing of worth and do not understand the idea of "end-to-end". Their rapid growth and this situation has them in the spotlight so with any luck they will draw the eyes of enough security professionals to at least try to get it right.

    • You gotta give it credit, companies (and to a small extent the government) are actually responding to public outcry.

      No you really don't. You don't give credit for a truly shitty company with outright shitty policies (we're not talking about bugs or low level decisions here, but active policy of a company) simply because they caved under pressure. We're also not going "give credit" to police departments who become less racist, we don't "give credit" to MS for open sourcing the windows calculator.

      You give credit to companies and people who actually behaved well while others abused their positions for their own gain. When $

      • I was giving credit to the protesters and online groups of people who are pushing these companies, not the companies themselves or the police departments. Just saying we've seen public outcry before with little results and now we are seeing the needle move, if slowly and not enough yet. People are unified in a way about these issue that companies are taking notice and seem to be a bit scared like they haven't before.

  • To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.

    Why is personally identifiable information needed for end-to-end encryption? I assume it's not technically needed, so what is the business justification? It's not clear whether the lack of end-to-end encryption or the presence of personally identifiable information is worse for privacy.

    It's also interesting that the PR couches the need for personally identifiable information as a protection for users.

    Will this this end up being PR-positive for Zoom?

    • by netik ( 141046 )

      Because when Zoom gets a subpoena, they want to be able to turn over your information to Law Enforcement. It's as simple as that.

      And I guarantee you that the E2EE has an escrowed key that Zoom has access to.

      I would not trust their encryption. For starters, your client does not control the key. Zoom controls the key. In true E2EE, the moderator would generate the key at the start of the meeting, and the key would not be held by zoom.

      From their whitepaper:
      https://github.com/zoom/zoom-e2e-whitepaper/blob/maste

      • by spitzak ( 4019 )

        You are quoting the "Current system" portion of that document. It then goes on to state the new system they are implementing to get End2End encryption (I guess this is done now but only for commercial clients). That has the quote "every Zoom application generates it's own public/private key pair". Whether what is described is actually secure I don't know, but quoting the wrong section is misleading.

    • by Anonymous Coward

      To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.

      Why is personally identifiable information needed for end-to-end encryption? I assume it's not technically needed, so what is the business justification? It's not clear whether the lack of end-to-end encryption or the presence of personally identifiable information is worse for privacy.

      It's also interesting that the PR couches the need for personally identifiable information as a protection for users.

      Will this this end up being PR-positive for Zoom?

      It's so the CCP can track down dissents^W citizens who need some additional training.

      And don't believe for a moment that Beijing isnt' going to have the decryption keys. Whether Washington gets them depends on whether Zoom pulls an Apple and gripes and moans about "rule of law" and "user privacy".

  • Zoom figured out that handling calls between paying an non-paying customers, and groups of paying and non-paying customers will be a nightmare to code and debug. It is much easier to use a single system.
  • ...will be available only for paid accounts!
  • I suspect it will not really be end-to-end encryption. You almost can't do end-to-end encryption. The video has to be manipulated by the server to change bit rate or resolution for different recipients.

    So it will be encrypted in transport, but decrypted at the server.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...