Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Privacy Security IT

Zoom To Roll Out End-to-End Encrypted (E2EE) Calls (zdnet.com) 31

Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week. From a report: E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants. These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won't be able to access or intercept any ongoing E2EE meetings. Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level. This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept. Further reading: Zoom Adds Ability To Open Apps Like Dropbox And Slack, Event-Hosting Tools As Part Of Push Beyond Video Meetings.
This discussion has been archived. No new comments can be posted.

Zoom To Roll Out End-to-End Encrypted (E2EE) Calls

Comments Filter:
  • by bobby ( 109046 ) on Wednesday October 14, 2020 @12:56PM (#60607062)

    We keep hearing about things that are completely secure. Absolutely, the best of technology. But in a few years, oh no, that's completely insecure and deprecated and you need to upgrade. Okay, technology is advancing.

    How do we know there are no backdoors? How do we know the keys generated are secure and unique? That the Zoom software isn't capturing them and sending them to Zoom's servers?

    • by ShanghaiBill ( 739463 ) on Wednesday October 14, 2020 @01:45PM (#60607260)

      We keep hearing about things that are completely secure.

      Zoom's encryption is based on AES. It was designed with an open process, the source code is published, and it has been around for 19 years. There are no known backdoors and unlikely to be any. Encryption is way ahead of decryption and that is very unlikely to change.

      How do we know there are no backdoors?

      Use open standards that are used by multiple adversarial entities.

      If the US government uses AES, that doesn't mean it is secure.
      If the CCP uses AES, that doesn't mean it is secure.
      If Russia uses AES, that doesn't mean it is secure.

      If ALL THREE use it, then you can bet it is secure.

      How do we know the keys generated are secure and unique?

      Because you generate them yourself with independent software.

      That the Zoom software isn't capturing them and sending them to Zoom's servers?

      If Zoom was caught intentionally subverting security, their $150B market cap would go to about zero. So you can feel secure as long as you have faith that capitalists will continue to be greedy and self-interested.

      • "If the US government uses AES, that doesn't mean it is secure.
        If the CCP uses AES, that doesn't mean it is secure.
        If Russia uses AES, that doesn't mean it is secure.

        If ALL THREE use it, then you can bet it is secure."

        You're missing a few premises before your conclusion, because that doesn't follow at all.

  • I would assume the way to do this secretly is to embed the state of a hidden subkey within the generated key.

    Then the subkey isn't a 100% decryption key but partial such as 40-70%. Then if someone has that key it would reduce the work to brute force the rest to an easy-enough amount of work but still hard enough to keep commoners from discovering it.

  • by twdorris ( 29395 ) on Wednesday October 14, 2020 @01:21PM (#60607168)

    I honestly don't know...thus the post. How does one (as clients of Zoom) know that Zoom isn't just doing a man-in-the-middle key swap on you as you establish this "secure" channel? Is there any way for both ends to know for sure that it's really their public key the other end received during negotiation when both clients and the server between them are under Zoom control?

    • by twdorris ( 29395 )

      With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants.

      I guess that sorta answers my question...I assume there's some standard "public key crytography" distribution methodology that can be used to ensure that the key you received from the host is really the key the host originally sent.

      • There is. Each participant has a key pair, and the public half is published. The meeting host looks up each participant's public key and encrypts the session key with it before sending it to that participant. It has to be decrypted using the participant's private key, which isn't published anywhere so only the intended participant can decrypt their copy of the session key. This is the same method PGP and SSL/TLS use to securely distribute session keys.

        • NB: there are also key-agreement protocols that let two parties agree on a session key without ever exchanging the actual key even in encrypted form. Those protocols only work between 2 parties though so they're not suitable for use in a meeting with more than 2 parties.

    • If they write the software and all you see is the traffic there are many easier ways to compromise the traffic. You could catch man-in-the-middle attacks if you could compared the key negotiation material leaving and arriving at the other end through some other channel. If on the other hand they just used a random number generator that has some pattern that only they know about then your key agreement would be compromised and analyzing the traffic would give you no knowledge of the vulnerability.
    • Is there any way for both ends to know for sure that it's really their public key the other end received during negotiation

      You could call the guy on the other end with your cell phone and ask him to read the public key back to you.

      Seriously, if Zoom was doing a MITM, it would be detected in about five minutes and their $150B market cap would go straight into the toilet.

      What possible motivation would Zoom have to subvert security that would be worth losing $150B?

      • by thomn8r ( 635504 )

        Seriously, if Zoom was doing a MITM, it would be detected in about five minutes and their $150B market cap would go straight into the toilet

        Not necessarily - probably 99.8% of Zoom users don't understand what encryption is and think ROT-13 is sufficient for their needs.

        • Not necessarily - probably 99.8% of Zoom users don't understand what encryption is

          Zoom has 13 million daily users, so the other 0.2% is 260,000 people.

          A MITM is easily detected with out-of-channel communication.

  • by BeerFartMoron ( 624900 ) on Wednesday October 14, 2020 @01:40PM (#60607242)
    Can I manage my own keys? Or will it still generate them for me, and store them in China [theintercept.com]?
    • Look at this clown not even RTFS. Sheesh.

      E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants. These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won't be able to access or intercept any ongoing E2EE meetings.

      What a moron.

      • by GlennC ( 96879 )

        It took me a bit to realize that BeerFartMoron was calling themselves out. Well played!

  • by takochan ( 470955 ) on Wednesday October 14, 2020 @01:57PM (#60607298)

    Zoom is a US company in name only.. it is really a Chinese company

    The development labs and Engineers are in China
    Its CEO is Chinese, most of his family still lives there and are under the influence of the Chinese government
    The servers you connect to (even on all US calls) are in China (if they haven't been moved yet since the news on this broke about a month ago).
    They have already disabled accounts of overseas people at the behest of the Chinese government

    So given all this, it doesn't matter much what encryption they use. If the Chinese government wants to listen to your calls..they will.. Zoom is a Chinese company..

  • I'm all for everything that can be encrypted being encrypted. Technically though this just moves the interception point from their servers to the client, which they also control.

    I'm glad they've done this. I still wouldn't trust Zoom for anything I wouldn't say out loud in a crowded room.

  • I ask because I work for mafia...

  • by BAReFO0t ( 6240524 ) on Wednesday October 14, 2020 @07:52PM (#60608434)

    Sorry, Jitsi is my new love now. Go away.

    *gives Jitsi a big smacking kiss*

  • What about for those who are guests to join?

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...