back to article Not only is Zoom's strong end-to-end encryption not actually end-to-end, its encryption isn't even that strong

Zoom has faced increased scrutiny and criticism as its usage soared from 10 million users a day to 200 million in a matter of months, all thanks to coronavirus pandemic lockdowns. Cybersecurity research group Citizen Lab is among those turning the spotlight on the video-conferencing app maker, and on Friday, it published a …

  1. IceC0ld Silver badge

    They probably couldn't believe it when their numbers shot through the roof

    but now, they are also finding that being a new big boy on the block brings consequences, and when yesterday, they said their product is secure, and as it wasn't really in anyone's radar, they got away with it, today however, the rules changed, and now we see exactly what they have to offer, and it doesn't look too good in the harsh light of real world criticism :o(

    IIRC Mr Musk has just banned his people from utilising it

    hoping that the people with some security requirements - like the feckin GOVERNMENT take note, and adopt a properly robust application asap

    ME ? I don't use it, and only now for the first time due to the WFH edict, being forced to use Skype :o)

    considering I am sort of an IT geek, I really am a Luddite at heart LOL

    1. martinusher Silver badge

      I think of it as a piece of consumer software, a slapdash design and implementation that's OK for lightweight chat with a friend but not something I'd use professionally, especially if the material I was handling was confidential or sensitive.

      1. BebopWeBop Silver badge

        OK for a lightweight chat - provided you don't mind your details being snaffled (and those of people you talk to). For starters.

        1. Pascal Monett Silver badge

          Details ? My IP address, you mean ?

          Because you don't think I'd sign up to something free and input anything actually meaningful about myself, now do you ?

          China is welcome to my chats with my friends. I'm sure they'll be fascinated in listening to us plan and execute raids in 7 Days to Die. There's a lot of tension sometimes, there can be victory, but there can be death as well.

          No, I'm not bothered about China listening in, or anyone else for that matter.

          What I am very bothered with is high-placed people and/or companies that lie to my face. You said you had end-to-end encryption, but you lied. You said you had actual encryption, and you lied again. Don't come to me saying that you don't use the same definition of the word. You know very well how people use that word, and you used it on purpose. Now that the truth has come out you're trying a charm trick to pretend that you care.

          Well I don't care about you, you are on my blacklist and I will never be using your product, even for gaming chats.

          You should have been honest from the beginning. Nobody would have cared if you had said that your product used basic encryption. Nobody would have batted an eyelid if you had stated that comms were encrypted from client to server. It would have been honest, the public couldn't give a damn, and you wouldn't be in the spot you are now.

          Serves you right.

          1. TrumpSlurp the Troll Silver badge
            Black Helicopters

            Details?

            Allegedly snaffling non-Zoom information from your PC as well.

            So not just the things you think you are sharing.

          2. Headley_Grange Silver badge

            Said stuff, lied, got caught, said sorry. Said more stuff, lied, got caught again, said sorry again. Carried on exploiting users info for gain. Users didn't care, money rolled in.

            It's a business model that's been successful for Facebook, Google, Microsoft..........etc., so why wouldn't Zoom use it?

            1. Anonymous Coward
              Anonymous Coward

              Yeah, you'd think the politicians would hold them to account, on behalf of the people they are supposed to represent...

              Instead, they're cosying-up to them, asking them for favours.

              Is that what the UK means by "taking back control"?

              At least the Europeans fine them big time.

              Grrrrr.

              1. The Nazz Silver badge

                Poltiicians' advisers too.

                You know, those CMO who say do this, don't do that

                and erm excuse me while i just go and do what i wish, regardless of what i've just told you.

                It ought to be an automatic loss of office for being caught. Simply saying "Sorry" isn't good enough.

            2. Tomato Krill

              Facebook, Google, POTUS...

              1. Anonymous Coward
                Anonymous Coward

                Except for the part of "saying sorry". Not limited to US politicians, either.

              2. Pascal Monett Silver badge

                POTUS does not belong to that group. With Facebook and Google, it takes time and research to find the lie. With POTUS, it takes at most twenty seconds for him to contradict himself if it's not blatantly obvious in the first place.

      2. Chris G Silver badge

        If you are not paying for a guaranteed, security based, purpose built piece of software, consider everything to be consumer software and assume at some stage it will or can be compromised.

        I use Telegram and Skype occasionally and despite claims for security I automatically restrict the information I will exchange on these platforms or assume it may not be entirely private.

        1. Anonymous Coward
          Anonymous Coward

          Why do you believe that paying for a product makes it secure?

          Out of interest, what do you use for secure communications? Presumably, that option is not available for general use, just very specific contacts?

          1. tfb Silver badge
            Alien

            Why do you believe that paying for a product makes it secure?

            It doesn't. However if you are using a product or service which costs a non-negligible amount to provide and you're not paying directly for it then you need to start thinking about how it is being funded. Perhaps it is being provided by kind-hearted rich people, but perhaps it's not. In the case of Zoom (or Google, or Facebook, or ...) it turns out that it is indeed not.

            One thing that paying for a product or service can (but may not) achieve is to align the interests of the people paying for the service and those being paid to provide it: if you, as the payer, discover that the people you are paying are, say, leaking your data, then you stop paying and if enough people do this they go bankrupt.

            Obviously this does not always work very well. And equally obviously sometimes it really is kind-hearted (relatively) rich people, witness the entire open source movement.

            1. Anonymous Coward
              Anonymous Coward

              Those questions were directed at Chris G.

              1. Anonymous Coward
                Anonymous Coward

                re: Those questions were directed at Chris G.

                So a reasonable answer from someone else will not suffice!!!

                1. Anonymous Coward
                  Anonymous Coward

                  Re: re: Those questions were directed at Chris G.

                  Because I was interested in his specific response as he had suggested that paying for software makes it more trustworthy. I wasn't interested in everyone else's opinion but they knew better than me what I was after and rewarded me with 8 down votes.

                  It's like when you start a conversation with someone then someone else butts in and tells you what they think. It's called bad manners.

                  He also implied that Telegram and Skype weren't adequate for his secure communications, so I was interested in what he used in those instances. Again, apparently everyone else's opinion was that I was wrong to ask him.

                  To all the down voters - thanks, you really added to the discussion. /s

          2. P. Lee Silver badge

            Merely that if it isn’t advert supported, they can be punished by taking business elsewhere.

            Realistically, run your own servers, use well known protocols and control the traffic if you want even a vague hope of security.

          3. Doctor Syntax Silver badge

            "Why do you believe that paying for a product makes it secure?"

            What the OP said was If you are not paying for a guaranteed, security based, purpose built piece of software

            It's the bit's which you missed out that should give some degree of confidence about security. It may still fail, of course, but being paid for with a guarantee gives the purchaser some degree of come-back that might persuade the vendor to do their est to make it so.

        2. ovation1357

          Chris G - I'm currently paying £15 per month for Zoom. So my version is clearly more secure, right?

          1. Alumoi

            Next time use the joke icon, somebody sure as hell missed it.

        3. ST Silver badge
          Devil

          Telegram and Skype ...

          > I use Telegram and Skype [ ... ]

          ROTFLMAO

          And you protect yourself from Skype or Telegram snooping by restricting the information you exchange on these platforms? How do you do that, exactly?

          Please tell us your entire post was a sarcasm from beginning to end.

  2. HildyJ Silver badge
    FAIL

    Legal troubles too

    Politico reported today that "multiple [US] state attorneys general are banding together to scrutinize virtual conferencing company Zoom’s privacy and security practices."

  3. Yes Me Silver badge

    Not the end of the world

    "we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality"

    But for the vast majority of their recent influx of users - students & teachers, grandmas and grandkids, that really isn't a big deal and their traffic is worth anybody decrypting. So yes, they should fix, but actually this is not the end of the world.

    1. Smooth Newt Silver badge
      Meh

      Re: Not the end of the world

      But for the vast majority of their recent influx of users - students & teachers, grandmas and grandkids, that really isn't a big deal and their traffic is worth anybody decrypting. So yes, they should fix, but actually this is not the end of the world.

      I think it is a mistake to write it off as just "grandmas and grandkids". It is not just those people who have been using it - it's clear that it is used by friends, colleagues, and doubtless even lovers. You think Boris only uses it for Cabinet meetings?

      This is also is about the ability to gather the occasional pearl from the easily obtained lorry load of private sand. Even if it were somehow restricted to grandparents talking to grandkids, being a grandparent doesn't prevent you from also being a president, head of state, CEO, general or even a lowly industrial product developer. And intelligence isn't just the Big Secret, it is also background material to help build a full profile of the people you want to hurt, blackmail or spy on later.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not the end of the world

        At my place of work we're having to use Zoom because the company's official implementation of Microsoft Teams is a crock of shit, both because its performance is appalling and its UI is buggy and ugly.

        At the moment, we're permitting zoom (with a caveat of saying that cloud-based recording must not be used) for team meetings which don't involve disclosing any live network info nor live data.

        However in light of this latest research this policy may have to be restricted even more..

        The problem is that Zoom is really good! It has a nice UI, works on just about every modern platform and allows us to have a video wall of attendees much like in the photo of the PM's cabinet meeting.

        I'm holding out some hope that Zoom is going to get its shit together and fix these problems. It shouldn't take much to bump up the encryption to at least use CBC or even GCM ciphers although they need to stop calling this 'end-to-end' if it isn't, although if it isn't end-to-end then I'm struggling to understand why they need to do a key exchange to give all participants the same key to decrypt the stream?

        1. doublelayer Silver badge

          Re: Not the end of the world

          "they need to stop calling this 'end-to-end' if it isn't, although if it isn't end-to-end then I'm struggling to understand why they need to do a key exchange to give all participants the same key to decrypt the stream?"

          It's encrypted as it goes to and from the server. The reason the key needs to be sent to users is that they need to decrypt it after it comes back, the reason it's a separate key is that symmetric encryption like this is faster than asymmetric encryption that was used to send the key in the first place, and the reason it's the same key for everybody is that Zoom doesn't want to use any CPU time decrypting a stream and reencrypting it with a new key for other people (and on that point they're basically correct as doing that wouldn't fix any of their problems). The important detail when considering end-to-end is who generates and sends the key and who gets it. In an end-to-end system, the organizer of the meeting generates it and sends an encrypted version to each participant, and the server moves these encrypted chunks around but doesn't have the ability to read them, while in Zoom's system the server generates a key and sends it to all participants, and maybe stores it or leaks it or actually nobody knows but given what we do know it's probably not good.

    2. Stuart Castle Silver badge

      Re: Not the end of the world

      "But for the vast majority of their recent influx of users - students & teachers, grandmas and grandkids, that really isn't a big deal and their traffic is worth anybody decrypting. "

      Depends on what is being transferred. Anyone using Zoom for work related purposes could very easily fall foul of the GDPR. I know where I work we strongly advise users not to use Zoom, and anyone found to be discussing corporate business via zoom will be dealt with by their line manager when we reopen.

      Might seem a bit strict, but our IT director had serious concerns about both Zoom's security and their apparent lack of compliance with GDPR.

      That said, I don't know how we'd determine if someone had transferred corporate data via Zoom.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not the end of the world

        Very easily. My voice and my image are personal information and very identifiable to boot.

        Given how bad Zoom have been with their claims of encryption, on Mac their installation of web servers that aren’t removed on uninstall, their installer itself, it is very hard to believe their governance will comply with even basic data protection laws.

    3. Black Betty

      Re: Not the end of the world

      Current students become tomorrow's workers, and some of them WILL end up working in sensitive industries. Harvest their details and credentials now and save them for later.

  4. swm Silver badge

    I had to use Zoom for a virtual square dance and the system did seem to deliver a better quality experience than jitsi. I think they would have a good product if they get good security and less possibility of spyware.

    1. Warm Braw Silver badge

      I had to use Zoom for a virtual square dance

      Careful: we're less than two weeks into this lockdown and you're already on a slippery slope.

      1. Stoneshop Silver badge
        Stop

        and you're already on a slippery slope.

        Square dancing on a slippery slope is strongly advised against; you don't want to end up in hospital at the moment.

        1. Huw D Silver badge

          Re: and you're already on a slippery slope.

          <ObvDadJokes>

          I tried line dancing - got hit by a train.

          Then I tried tap dancing - fell in the sink...

          </ObvDadJokes>

    2. Len Silver badge
      Happy

      I think that for Jitsi to work well you need to set up your own server. Jitsi VideoBridge

      If you use the basic (no account, no server) option everything is handled Peer-to-Peer and all the processing etc. is done locally. This means that the slowest client decides the quality for everyone else.

      We are now considering setting up our own Jitsi infrastructure so we will never be dependent on dodgy third parties for our video conferencing needs.

      1. GrumpenKraut Silver badge
        Thumb Up

        Thanks for the pointer, Jitsi and quite a few others are mentioned over at libreplanet. They write "Not always reliable with more than two people." which is a bit of a warning, though.

        1. Len Silver badge
          Happy

          First of all, I think I should have pointed to Jitsi Meet instead of the Jitsi VideoBridge.

          I haven't tried running the server myself (more of a FreeBSD guy myself and it's primarily aimed at Linux servers from what I read), I only used it for a basic p2p session and that was on a slow machine so I assumed that was the reason the video was seconds behind the audio. Allegedly, though, running your own server should solve some of those issues.

          The law firm of a friend of mine has chosen Jitsi (they do a lot of human rights cases, no chances of them ever considering Zoom) and it seems to work for them. I don't know about their server spec, however, they might have gone to town with a massive VM to reduce dependency on the clients.

        2. The Nazz Silver badge

          ahem

          "Not always reliable with more than two people."

          A bit like sex and marriages then?

      2. Scene it all

        A minimalist AWS EC2 instance "t2.micro" with 1GB RAM seems to handle 2 to 3 Jitsi users at a time, at under 30% CPU and 50% memory usage. Any more than that and I would use a more powerful instance type with more network bandwidth. The advantage of doing this on a service like AWS is I can easily scale the resources up and down as required, and no capital outlay. Plus the people I talk to on it are all over the country.

        For a business using it for work-at-home, on-premise real hardware servers may be the way to go. But check bandwidth requirements.

        1. Len Silver badge

          I was thinking of putting it on a separate VM, alongside our other VMs. But yes, the downside is that you're paying for a relatively powerful VM 24/7 even when there's nobody on a call.

          When you say "more network bandwidth", what did you use and did you notice it bandwidth being a constraint?

          1. Scene it all

            I havn't pushed it. The measurements I have seen indicate that a t2.micro's network throughput is about 100 Mb/s. My comments about bandwidth for on-premise installations was because if you end up with 100 people using the service all at once, it can add up and your organization's internet connection might not have been sized for that kind of bandwidth. You can save bandwidth by telling people who are not speaking to turn off their camera.

            AWS charges for EC2 instances by the *minute*. So as long as you have a Machine Image saved with all your settings, you can STOP your instance and the charges stop. Then when you need it again, you START it with a simple command line. You have to have ddclient or some other DDNS mechanism set up because you won't get the same IP address back. There is a monthly charge for storing the machine image, but it is under $1 per month.

  5. redpawn Silver badge

    I don't use common definitions either

    They are too constricting.

    As a Triillionaire I respect your privacy and am protecting you from the corona virus as well*.

    *By privacy I mean that I am not selling your genetic information to termites and I warrant that the Corona Virus will not set fire to your servers.

    1. Ken Moorhouse Silver badge

      Re: I warrant that the Corona Virus will not set fire to your servers.

      What happens if you squirt hand sanitiser into the CPU or PSU fan?

      1. redpawn Silver badge

        Re: I warrant that the Corona Virus will not set fire to your servers.

        Clean shutdown?

        1. eldakka Silver badge
          Pint

          Re: I warrant that the Corona Virus will not set fire to your servers.

          That made me LOL, thanks for that.

      2. bombastic bob Silver badge
        Pint

        Re: I warrant that the Corona Virus will not set fire to your servers.

        as long as there's plenty of alcohol in that hand sanitizer you can expect a belch followd by "another, please"

    2. Wellyboot Silver badge

      Re: I don't use common definitions either

      If I need to purchase a zoom subscription I'll pay by sending a crack team of mime artists to display my financial gratitude.

      1. the Jim bloke Silver badge
        Pirate

        Re: I don't use common definitions either

        Mime artists are confined to working at home at present.

        Home being a pit full of scorpions, with LEARN THE WORDS in bas relief lettering around the rim 5 metres above the floor.

        1. Charles 9 Silver badge

          Re: I don't use common definitions either

          Too bad there was never a story of a mime wizard able to climb himself out of the scorpion pit using a mimed invisible rope. That would've been a trip.

        2. bombastic bob Silver badge
          Coat

          Re: I don't use common definitions either

          "Mime artists are confined to working at home at present."

          You know, a MIME is a *TERRIBLE* thing to waste!

      2. Stoneshop Silver badge
        Trollface

        a crack team of mime artists

        Anyone can easily do this, unless they're talking out of their arse.

  6. Roger B

    Friday morning on BBC News with Naga Munchetty, Nick Hancock said Boris whilst still in isolation (Hiding from those pesky reporters) was still using Zoom daily to keep in contact with his cabinet,

    1. Dave Robinson

      He uses Teams for talking to his sideboard though.

    2. Tom 7 Silver badge

      Another outbreak of Corona Virus was suspected at Zoom HQ in China as many workers there were found to be sweating, exhausted and breathless on the floor of their offices. Investigators discovered this was due to them accidentally eavesdropping on a UK cabinet zoom meeting.

  7. Alan J. Wylie

    A couple more comments from Bruce Schneier and Matthew Green

  8. John H Woods Silver badge

    Why do so many businesses seem to need video?

    Obviously we have to be able to screenshare to do real work (and "have to" see PowerPoints for some reason!) but I don't really need to see the faces of any of the people I work with and they certainly don't want to see mine. (I do get complements on my profile picture, but it's mainly "nice horse" - I don't like to use my own face without some other distraction because I look far too much like Anders bloody Brevik).

    In my opinion, if you can't tell that a participant's mind has wandered without a webcam, you've got too many people in your meeting.

    1. Tom 7 Silver badge

      Re: Why do so many businesses seem to need video?

      Faces are of little use - I find video calling takes me seriously into Uncanny Valley - I think its the eye-contact thing just makes everyone seem extremely shifty. Video is useful for white boarding of some forms and video of some peoples gestures is very occasionally useful.

      1. Phil O'Sophical Silver badge

        Re: Why do so many businesses seem to need video?

        I find that in video meetings eye contact is one thing that's missing. People tend to look at the image of their correspondent, not at the webcam, so never quite seem to make eye contact.

        1. John H Woods Silver badge

          Re: People tend to look at the image of their correspondent, not at the webcam

          Hmm, do I see a market for home teleprompters ("autocues") ?

        2. Anonymous Coward
          Anonymous Coward

          Re: Why do so many businesses seem to need video?

          re: "People tend to look at the image of their correspondent"

          That's an etiquette thing, people will adapt over time.

          Communication without visuals is definitely strange though, it's like a relationship with a colleague in another country - yes you speak but you don't really relate as you don't see their body language.

          Even after 2 weeks working from home, colleagues are becoming distant, as audio and text comms don't really make up for daily human interaction. I might only say a couple of things each day to my boss whilst at home, yet sitting next them at work allows things to be discussed easily.

          It will be odd when we all end up back on site together - I suspect it'll take a while to reconnect with "acquaintances" again.

          1. Doctor Syntax Silver badge

            Re: Why do so many businesses seem to need video?

            "Communication without visuals is definitely strange though"

            We've had the telephone for long enough for most of us to have got used to it.

          2. Mike Moyle Silver badge

            Re: Why do so many businesses seem to need video?

            "re: 'People tend to look at the image of their correspondent'

            That's an etiquette thing, people will adapt over time."

            ...and once the isolation is over and we're all back to physical interaction, the polite thing will be to look at a point six inches over the other person's head when conversing.

        3. Dr_N Silver badge

          Re: Why do so many businesses seem to need video?

          It's even worse when your webcam is above your laptop screen and you're using an external monitor only.

        4. Muscleguy Silver badge

          Re: Why do so many businesses seem to need video?

          If you are teaching or tutoring or explaining something to someone you need to be able to look at their eyes. It has been shown that when we get something our pupils expand. Hence the light of understanding.

          I first consciously experienced this when demonstrating labs in my honours year. IF you do not see this then you have to interrogate the student about their understanding until they do. Be very careful with Japanese or other Asian people as admitting a teacher has not explained something well is not considered polite as it shames the teacher. However as a teacher I need to know if the student has grocked something or not. I also need to know when working with colleagues whose English may not be the best.

          Looking for these little signs can be important. If I’m looking at the laptop cam I can’t see this. It’s fleeting as well, not something you can look away and come back to.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why do so many businesses seem to need video?

            Muscleguy>> I also need to know when working with colleagues whose English may not be the best.

            Yeah, working with people from Norfolk is difficult eh?

          2. tiggity Silver badge

            Re: Why do so many businesses seem to need video?

            Though of course pupil dilation can be due to other things like "attraction"

            Hence the use of belladona (Atropine) to give mydriasis back in the day

          3. Charlie Clark Silver badge

            Re: Why do so many businesses seem to need video?

            Exceptions prove the rule or do you really think that the majority of the current video conferences actually require that kind of one-to-one interaction? What about the problems due to being distracted by looking at group of people in close up with headsets?

        5. Charlie Clark Silver badge

          Re: Why do so many businesses seem to need video?

          I think this is why boffins keep tweaking the algorithms so make the eyes look as if they're looking at the camera. But, if you must do video, the best experience is with a camera as sufficient distance that optical distortion is limited.

    2. bombastic bob Silver badge
      Devil

      Re: Why do so many businesses seem to need video?

      has anyone else used Slack? Or even IRC? If you video conference, who wants to see an engineer in his "home clothes" [or lack of] anyway?

      IRC is free, and setting up your own IRC server wouldn't be all that hard... or just use freenode like everyone else with a serious project.

    3. ovation1357

      Re: Why do so many businesses seem to need video?

      During times of normality I'd be inclined to agree, and I was never keen on video calls in the past. But the technology has come into its own during this covid-19 crisis with everybody working from home.

      I've found that using video has really helped to put people more at ease with the situation. What started out as a reluctant 'maybe do video once a week' thing has turned into a daily video meeting and occasional video coffee breaks.

      Using Zoom really adds a human touch to this isolated way of working.

      For me, the really big question is: Will this continue to be relevant once all the social restrictions are lifted?

      1. John H Woods Silver badge

        Re: Why do so many businesses seem to need video?

        ovation1357: "I've found that using video has really helped to put people more at ease with the situation"

        Actually, that must be the answer. I suppose I (like a lot of us) are not really an average case, having been doing substantial telework for years (and years...)

    4. Doctor Syntax Silver badge

      Re: Why do so many businesses seem to need video?

      The usual answer to questions of this type is "Because they can."

    5. hoola Bronze badge

      Re: Why do so many businesses seem to need video?

      Because it is cool and you forget that the primary use is to replace endless physical meetings where some twat honks on reading off their PowerPoint presentation.

      None of these video conferencing tools are really that good with people looking like aliens, dropped calls endless problems getting yet another client to work. And then you have Teams, the biggest piece of shite to be foisted on to us. It's sole purpose appears to be to ensure yet more reliance on O365 and MS cloudy stuff. Just because it it Microsoft means that it IS all perfect and everyone MUST use it.

      Unfortunately Zoom has several huge advantages over other products:

      It works

      It is cross-platform with pretty much the same experience

      If you buy a subscription it is affordable

      This then brings you full circle, is it actually any worse from a security perspective than everything else?

      I don't know but from what has been reported WebEx is no better, it just happens to be owned by Cisco so it must be okay.

  9. Tomislav

    Obviously...

    I have and will in the future use Zoom software exclusively!

    I do recognize that there is a discrepancy between the commonly accepted definition of what I just said and what I actually have done and/or intend to do.

  10. Anonymous Coward
    Anonymous Coward

    If Boris says Zoom is secure...

    Who are we to challenge that?

    After all, he's our leader and taking us to the promised land - he can never be wrong.

    /s

    https://www.bbc.com/news/technology-52126534

    1. Fading Silver badge
      Paris Hilton

      Re: If Boris says Zoom is secure...

      He didn't actually say that though did he?

      1. Anonymous Coward
        Anonymous Coward

        Re: If Boris says Zoom is secure...

        Hey - a Boris apologist!

        You've not heard of "actions speak louder than words" then?

        You are aware of Boris relationship with the truth? It's along the same lines as Zoom's statements on "not using the commonly accepted definition".

        He's a politician - therefore anything he says doesn't matter.

        He's also a clown.

        1. genghis_uk Bronze badge

          Re: If Boris says Zoom is secure...

          No, in your linked article, there is no statement from Boris. The only mention of the safety of Zoom is this:

          "NCSC [National Cyber Security Centre] guidance shows there is no security reason for Zoom not to be used for meetings of this kind," the government spokeswoman said.

          You may want to bash Boris, you may even think you have a good reason to but this one is not it...

          That does not make me (or the previous poster) an apologist, I just think you are wrong on this occasion. His relationship with the truth may be suspect but you can't bend facts to meet your narrative - Isn't that what you say Boris does?

          1. Anonymous Coward
            Anonymous Coward

            Re: If Boris says Zoom is secure...

            @genghis_uk

            "NCSC [National Cyber Security Centre] guidance shows there is no security reason for Zoom not to be used for meetings of this kind," the government spokeswoman said.

            So Zoom routing insecure traffic via China isn't an issue for government comms?!?

            This is the same government that was advising people a few weeks ago that mixing with thousands of others at Cheltenham racecourse wasn't a serious heath risk... but hey, they're the experts. /S

            You are aware the reason given for the west banning Huawei is that Chinese authorities could demand the company turns over any encryption keys on its servers in China to facilitate decryption of the contents of encrypted calls. The same is true for Zoom, which incidentally, was developed by 3 Chinese companies.

      2. Anonymous Coward
        Anonymous Coward

        Re: If Boris says Zoom is secure...

        Government ministers communicating insecurely. Not what they probably mean by "being transparent". LOL.

        Who is responsible for their comms being secure exactly or doesn't it matter?

  11. Anonymous Coward
    Anonymous Coward

    Whatsapp group video

    Whatsapp does group video for up to 4 people.

    And that actually uses secure end to end encryption.

    Regardless of your attitude to Facebook.

    1. Anonymous Coward
      Anonymous Coward

      Re: Whatsapp group video

      Just for the down voters:

      "Videoconferencing like Apple’s FaceTime, and messaging apps like WhatsApp and Signal already use end-to-end encryption routinely to protect your traffic, and it works."

      Quoted from Matthew Green's crypto engineering blog.

  12. Persona Silver badge

    Perfect

    I'm pushing my wife and grown up daughters to use Zoom for their group chats. It's a bit mean of me, but in my defence I do feel a little bit sorry for anyone who has to eavesdrop.

  13. low_resolution_foxxes Bronze badge

    It's sad that my default opinion on this fits snugly between:

    -sounds like a free service has some Facebook-grade software borks and data privacy violations (quelle surprise)

    -I wonder if Zoom are failing to share info with GCHQ and the intelligence teams are upset? (although it sounds trivial to hack them, perhaps not en masse and automated)

  14. adam payne Silver badge

    Zoom responded that it wasn't using the commonly accepted definition of the term.

    A commonly accepted definition is just that, don't use it if you don't mean it.

    "While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," the company said in a blog post

    You weren't trying to deceive anyone using a commonly accepted definition, what's that smell?

    1. Stuart Castle Silver badge

      So they weren't using the commonly accepted definition of End to end encryption? What definition were they using?

      If that is a good defence, do you think that (when they re-open), I could go into my local Currys, walk out with an 8K TV? When I get arrested, could I just claim I own it, and then claim there is just a discrepancy between the commonly accepted definition of "I Own It" and the one I was using?

      1. Anonymous Coward
        Anonymous Coward

        "What definition were they using?"

        The Alice in Wonder version:

        “When I use a word,” Humpty Dumpty said in rather a scornful tone, “it means just what I choose it to mean — neither more nor less.”

        At least it wasn't Winnie the Pooh ...

  15. Def Silver badge

    Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

    That example's kinda bullshit. At least for video.

    While the example stands for raw bitmap images, video streams don't contain every frame as a raw image. Even key frames aren't stored as plain images like that.

    Additionally, encryption on a video stream can be implemented at different levels. Either at the file level where the entire file fragment (MP4, TS, MKV, etc) is encrypted, or at the stream level where sample data within the file is encrypted. Add in the potential multiplexing of audio and video samples within the stream, and the chances of you being able to pick out intelligible imagery is pretty slim.

    I'm not saying it's impossible, but given any random video stream, I'd be very surprised if you could make anything out.

    1. sed gawk Silver badge

      Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

      I agree with your underlying point about I-frames and the like being not exactly deterministic, even with respect to colour output (different GPU's render differently).

      However, I must disagree with your point about ECB. Given the same input, and same key, use of ECB mode of operations will produce the same output. When other modes are used, e.g. GCM or EAX, entire classes of attacks are prevented, by identical input producing different output.

      So ECB being used as the sole cypher mode of operation, is a massive red flag, suggesting the code is therefore unlikely to have been reviewed by a proper cryptographer.

      1. Def Silver badge

        Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

        I made no specific point about ECB. I was merely pointing out that the example given for the context in question isn't particularly realistic.

        Not using ECB should be a no-brainer. Sadly, "engineers" (Read: Copy'n'Paste Cowboys) these days tend to share what few brain cells they have via Stack Overflow.

        1. sed gawk Silver badge

          Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

          I agree the example of a raw image being implicitly decipherable is less applicable in this context.

          TBF to the authors, I'm struggling to remember ECB or indeed any mode of operations, being illustrated except with the penguin logo image.

          For curiosity, I googled with https://www.google.com/search?q=illustration+of+ECB+mode

          And gave up after a few pages without finding a suitable alternative image.

        2. Anonymous Coward
          Anonymous Coward

          Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

          That’s just used as a demonstration that an observer can see patterns in the enciphered data though, isn’t it. They were clear about that.

          1. Def Silver badge

            Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

            Yes, it was.

            But where's the repetition in a video stream? Variable size file fragments containing variable size samples broken down into a variable number of variable size blocks.

            Even a TS stream packet is 188 bytes in size, so you'd need four of them before you might start to see some repetition from the variable size packet headers, but I'm still not convinced that that would tell you anything about the data contained within.

            1. Nick Ryan Silver badge

              Re: Citizen Lab's visual demonstration of AES-ECB encrypting an image.

              Given the encoding it would (should) be possible to differentiate the various structures, as in filter out the multiplexed audio out to start off with. That leaves the video data. Most live encoding schemes don't use B frames, for obvious reasons, therefore we're usually left with just I and P frames. I frames are usually identifiable by their size and consistency whereas P frames being what they are can be pretty much any size and in numner and describe any of the various deltas between first the I frame and the next generated frame and then from one generated P frame to the next... from block data changes, colour adjustments, block position changes (movement) and so on - they are very efficient and well compressed therefore quite unlikely to be readily guessable compared to the I frame. Which given all the block filtering won't be too easy to pick out anyway.

              I do agree though, the example image is a bit unrealistic and unhelpful and is rather unlikely to be possible. However given better processes and more processing power? Who knows. Definitely best to avoid known weak encryption schemes.

  16. Lorribot

    "Zoom claims it routed encryption keys via China because it accidentally added Chinese servers "

    So they are a bunch of chancers that don't actually know anything about what they are doing but made it really easy to use and got lucky.

    1. LDS Silver badge

      Look at the last name of its CEO. Do you believe it's entirely by chance?

  17. Henry Wertz 1 Gold badge

    Probably not as bad as it sounds

    Probably not as bad as it sounds. I mean, Zoom was likely unaware that ECB had this property and should probably use something else. But, the shocking results with something like the Linux penguin are using a raw image format*; it happens because ECB works 16 bytes at a time, producing the same output when the same 16 bytes are fed in. With 16-bit (2 byte per pixel) data you'll get plenty of runs of identical 16 bytes. Run an image through PNG, JPEG, or probably H.264 or H.265 Zoom is using and run it through ECB and it's going to be irretrievable gibberish.

    *in fact, googling, a ppm file (which has a short text-based header for the first 3 lines followed by raw image data, in this case 16 bit per pixel...), probably stripped off those 3 lines, ECB ecnrypted the 16-bit image data, and put the 3 lines back up top so it's a valid PPM image file again.

    1. doublelayer Silver badge

      Re: Probably not as bad as it sounds

      Oh, sure. If I get you an encrypted blob that used to be a frame and try to render it as an image, it won't work and you'll see nothing. But that's rarely the issue. The issue is what happens when I run a program on a captured stream, meaning a bunch of images of similar areas and a bunch of similar sound data. Both of those are very pattern-heavy, and therefore both would be vulnerable to a concerted attack on the crypto. Consider what would happen if I took a compressed audio file which I encrypted in a zip file with a three-character password and rendered it as raw audio. You'd only hear a bunch of noise, and it wouldn't even be the same amount of noise. Yet, given the file, you could decrypt it, decompress the archive, and play back the compressed file with ease. They used a visual example to demonstrate the flaw in a way that was evident to the human eye; they didn't say you could do exactly the same thing with the data in this case, just that a computer could.

  18. Barry Rueger

    People don't buy encryption

    My significant other has a thriving piano teaching business, with a predominantly Chinese client base no less.

    When it became obvious (three weeks ago) that face to face lessons would soon be impossible she moved everything to her home piano room, bought the last two webcams in town, and moved on line.

    It didn't take long to realize that Zoom put Skype to shame, and after a couple of weeks she's still finding genuinely very smart and useful features.

    And, in what's sadly an unusual thing these days, everyone has found Zoom remarkably easy to set up and use.

    It's fine to criticize Zoom 's security shortcomings, but the actual product is pretty darned impressive.

    And hey, if you can see your userbase grow that much, that quickly, without a major crash and burn I'm impressed.

    1. Def Silver badge

      Re: People don't buy encryption

      The massive shit my dog did in the garden earlier puts Skype to shame. The bar isn't particularly high. :)

      1. low_resolution_foxxes Bronze badge

        Re: People don't buy encryption

        Any photos of the turd for comparison?

        1. Def Silver badge

          Re: People don't buy encryption

          Comparison to what? Are you a collector? ;)

    2. tfb Silver badge
      Terminator

      Re: People don't buy encryption

      I don't think anyone is denying it's a functionally good product.

      The problem is that it's also a product which is not suitable for some purposes. I'd be more than a bit unhappy if my bank kept my account details on unencrypted storage in a public cloud, and I would also be a bit unhappy if they had videoconferences in which they might discuss information on how to access their data which were not fully encrypted. And they are doing the second of these things, because they are using Zoom.

      And they are doing that because Zoom lied about what the security of their product was. Lying about the security of your product, when you know that your product is being used in environments where security really matters, is very definitely not OK.

      Of course, continuing to use that product in security-sensitive environments when you know that it is not secure is also, at best, fucking stupid and, at worst, something much worse than that. And cabinet meetings are, in fact, security-sensitive: it really is the case that people, for instance other nation states, would go to considerable lengths to have information about what is discussed in cabinet meetings. That's why spies exist. If the UK government are still using Zoom for cabinet meetings then they really should not be the UK government, because they are incompetent or worse.

      Finally the subject of your comment is just factually wrong: yes, some people do buy encryption. Some people spend a great deal of money on it, and I'm glad they do, because I'd like all my money not to get sucked out of my bank account, for instance.

      1. tellytart

        Re: People don't buy encryption

        What most people are fogetting is that end to end encryption client to client isn't possible when you want to use other features offered by zoom:

        * Recordings of the conference

        * Telephone dial-in numbers to join the conference

        1. Anonymous Coward
          Anonymous Coward

          Re: People don't buy encryption

          What most people are forgetting is that Zoom is misleading them about end to end encryption when they want to use other features offered by Zoom.

          TFTFY

        2. doublelayer Silver badge

          Re: People don't buy encryption

          I've heard this argument before. It was stupid then, and it is now. There are three solutions to the problem of not being able to offer some features and provide end-to-end at the same time. They go like this:

          1. Offer end-to-end and work on enabling the features in a more security-conscious way (store recordings on the cloud in an encrypted form that cannot be decrypted without the user-stored key, have dedicated call-in boxes with encryption built in that cannot continue to store keys and have individual trackable keys so only authorized ones can be added).

          2. Offer end-to-end, and if someone tries to enable one of the features that doesn't work with it, you tell them they can only have one and prompt them to choose.

          3. Don't offer end-to-end, don't lie about having it anyway, and cite those reasons when people ask (and most won't ask).

          Any one of those is a legitimate way to handle it. What they did wasn't.

      2. Anonymous Coward
        Anonymous Coward

        Re: People don't buy encryption

        "they really should not be the UK government, because they are incompetent or worse."

        People knew that when they voted for them.

        Unfortunately, "Every nation gets the government it deserves."

        1. Charles 9 Silver badge

          Re: People don't buy encryption

          "People knew that when they voted for them."

          DID they? That's a VERY iffy assumption. Worse, if the assumption actually holds, then we've basically proven ourselves unfit for any kind of grand civilization.

          1. tfb Silver badge

            Re: People don't buy encryption

            I think they knew yes. There was something that was more important than competence to them.

            1. Anonymous Coward
              Anonymous Coward

              Re: People don't buy encryption

              They couldn't figure out for themselves that a clown is likely to be incompetent leader?

              Seriously?!?

          2. Anonymous Coward
            Anonymous Coward

            Re: People don't buy encryption

            Voting for the "least worst guy" is a guarantee for appalling governance.

            If people want the country to improve, they should vote for someone that will make that happen, not just to keep the really s**t guy from winning.

            Voting for mediocre rather than rubbish won't improve anything.

            1. Charles 9 Silver badge

              Re: People don't buy encryption

              "Voting for the "least worst guy" is a guarantee for appalling governance."

              That assumes there's any kind of better alternative, though. If the only choices you have are devils and demons, you're not getting a happy ending, plain and simple.

              IOW, sure mediocre won't improve things. But at least by not choosing rubbish, you avoid things actually getting worse.

        2. The Nazz Silver badge

          Re: People don't buy encryption

          It's only like 2016 with Clinton and Trump, 2019 Johnson v Corbyn

          People clearly knew what they DIDN'T want. **

          What proportion of Labour members (circa a third?) couldn't even be arsed to vote for one of Starmer, Long-Bailey nor Nandy. Wow.

          1. tiggity Silver badge

            Re: People don't buy encryption

            Perfectly reasonable that 1/3 did not have a strong preference for any of the candidates.

            Could also be that given the pandemic meant campaigning was "stopped" (arguably a few contraventions) and with everything else going on pandemic wise then could be that casting a vote was not uppermost in the mind of lots of Labour members

            And cannot rule out that with government sitting on a big majority many maybe CBA to vote as expecting Conservatives in power for a while.

    3. Barry Rueger

      Re: People don't buy encryption

      OK, Zoom just launched a major clusterfuck by mandating passwords with no warning and no reasonable warning. Two dozen students scrambling to figure out how to join the first ever online piano recital.

      Although I appreciate the intent, this was really, really messed up.

      1. Adair Silver badge

        Re: People don't buy encryption

        You, and they, will get over it.

  19. YetAnotherJoeBlow

    Trust

    I read an article in the WSJ app today (UTC +8) about Mr. Yuan. Mr Yuan gave a good interview - he almost had me - then he finishes with the insinuation that "someone" has targeted his company.

    It's game over for me - even if someone has targeted the company. This sentiment taken together with past statements Mr. Yuan has made paints a bad picture.

  20. Anonymous Coward
    Anonymous Coward

    Ah but its Huawei, not Zoom, who are in league with the Chinese government ;)

    According to the Ministry of Truth.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah but its Huawei, not Zoom, who are in league with the Chinese government ;)

      Why else do they think people are burning down 5G towers?

      ;)

      1. Anonymous Coward
        Anonymous Coward

        Re: Ah but its Huawei, not Zoom, who are in league with the Chinese government ;)

        Because they mistake them for textile mills?...

  21. jonnycando

    I didn't even know what Zoom was until all this news started to pop up....and from what I can tell it's just a total train wreck....a very poorly conceived piece of software...and the makers are like....."who me?"

  22. Tree
    Pirate

    What is ZOOM's privacy policy?

    Prying eyes want to know if the privacy is anything like facebook's. Prying eyes want to know Is ithe privacy policy unintelligible gibberish like google's? Does it continuously change to make it meaningless? Panda boy, Xi Jinping, wants to listen in on your meetings.

  23. SVV Silver badge
    1. hoola Bronze badge

      Re: Insecurity can cost you a lot

      Before slagging off Zoom too much you need to look at who will gain.

      All these tools appear to have the same problems. Zoom it just getting all the attention because of it's meteoric rise in popularity.

      Bluntly if "rogue governments and organisations" are spying on Zoom content then it will be everyone, probably with the US at the top of the list.

  24. cyberdemon
    WTF?

    Their own users and devs have been moaning about the borked web client for three days now

    https://devforum.zoom.us/t/in-progress-web-sdk-web-client-from-browser-403-forbidden/10782/110

    They still haven't fessed up on their own forums that its because of this security TITSUP

  25. Anonymous Coward
    Anonymous Coward

    "Interesting that Zoom splits its platform into China and non-China."

    It's the local law, as previously reported in The Register: https://www.theregister.co.uk/2017/06/01/china_cybersecurity_law/

    I wouldn't mind having a similar one to keep my data in the EU, too.

  26. fraunthall

    This May Have A Geo-Political Component

    Could this be another Chinese Communist Fascist attempt to subvert electronic communications throughout the rest of the world in their hegemonic obsessions? Given that China is now being accused, and the evidence is very strong, of unleashing the Corona Virus plague on the rest of the world as part of their hegemonic obsession to become the only giant military and economic power of consequence in the world, it is fair to be suspicious that Zoom is part of that evil plan. Even the British Prime Minister's Office was caught in their web. While that is shameful in itself, it is indicative of the naive willingness of the technologically ignorant to trust the technology on the Internet, despite the myriad warnings from those who really know what they are talking about. Although I am not a hacker or coder I read the stuff published by Bruce Shneier and am suspicious of everything on the web as I was even before I heard of Bruce. Why aren't the so-called experts in the bureaucracies at least that curious? That applies especially to those in the offices of the highest public official in the U.K. Are they the idiots I think they are? I guess I was right.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020