back to article Zoom finally adds end-to-end encryption for all, for free – though there are caveats

Zoom has finally added what it says is end-to-end encryption to its video conferencing service at no additional cost for all users, whether they are paying subscribers or not. The feature has been long awaited given the service’s massive take-up as a result of pandemic lockdowns: something that swung a spotlight on its patchy …

  1. Old Used Programmer Silver badge

    What about...

    A Raspberry Pi version of their software?

  2. whitepines Silver badge
    Alert

    Sorry to burst the PR bubble, but while the Zoom client and its encryption engine remains closed source Zoom can absolutely decide to break into an "E2EE" video chat with a simple update or even a list of users that Zoom has a second (backdoor) key for. All we have is a weak pinky promise that they won't listen in, so this is just a feel-good feature mostly saying they're not intentionally mass-hoovering the contents of every single conference that happens on their platform.

    Give us an open source client that we can verify the encryption for, then there might be some actual confidence in this. Until then this is security theatre at its finest.

    1. Anonymous Coward Silver badge
      Thumb Up

      Personally, I'm less concerned about the encryption and more concerned about the key distribution mechanism.

      Other than that, I agree completely.

    2. Harry Stottle

      Yes but

      Agreed, OS is definitely the target for optimal Trust. But achieving it could cause serious delay. So I would settle for a formal security audit signed off by one or two of those we trust in the Crypto/Security community. Bruce Schneier and Ross Anderson spring to mind.

      The reason that waiting for the OS version might cause significant delay is that their current codebase is likely to contain both legitimate commercial secrets which could advantage their commercial rivals and/or embarrassing kludges and admissions which they wouldn't want the world to see. Anyone who's written extensive code of their own will be familiar with that problem.

      It is more important to get the product out there as soon as possible if only for the massive boost it will give to the E2EE awareness campaign. Even if it turned out to have NSA mandated/engineered backdoors in it, the eventual and inevitable exposure of those would, ultimately, further the cause.

      So publish and be damned say I.

  3. M-2
    Alert

    What flavour is the source?

    For god sake, open source the code, then the world will be a better place!

    Signal did all this ages ago....

    1. Roland6 Silver badge

      Re: What flavour is the source?

      >open source the code

      There is the Jitsi video conference software suite and the 8x8 service - however just a small problem of catching up with the ubiquity of Zoom...

      Gartner Magic Quadrant for Meeting Solutions 2019

      Gartner Magic Quadrant for Meeting Solutions 2020.

  4. MachDiamond Silver badge

    "Patchy Security"

    Good grief, "Leaky Sieve" is a better description.

  5. MrReynolds2U

    Also curious whether this will work for browser-based participants. The article indicates probably not yet.

    And if you're using their record in the cloud option, is this encrypted at rest and only decrypted when you pull it down to play it?

    1. Sampler

      And if you're using their record in the cloud option, is this encrypted at rest and only decrypted when you pull it down to play it?
      You're not using any encryption, as the article states, cloud record is not available during E2EE.

  6. YetAnotherJoeBlow Bronze badge

    Secure?

    So in other words, thanks for making available to me the exact feature set needed to disqualify itself. Congratulations, you covered all the bases.

  7. Mike 137 Silver badge

    Not really trying?

    "people will not be able to dial-in nor use devices that won’t support the end-to-end crypto. Third-party software that works with Zoom will also not work with the system"

    A doctor of my acquaintance used to give first aid lectures. Once, when he challenged a student for not paying attention, he got the reply "but doctor, we're not really trying to do this". The same seems to apply here - this is a minimalist marketing driven response to customer feedback.

    I'm pretty sure Zoom aren't actually interested in the content of conferences; they just can't be arsed to make the effort to secure them properly and conveniently because it doesn't affect the revenue stream. But they must be seen to "be doing something".

  8. DS999

    Rush job

    Who here trusts an encryption setup designed and deployed in only six months? People who think that's possible think "yeah we'll use AES-256 and that guarantees it is secure" while ignoring that 99.9% of encryption exploits rely on faults in the way it is implemented, the way keys are negotiated/communicated, etc. and not a weakness in the encryption scheme itself.

    1. Roland6 Silver badge

      Re: Rush job

      Remember they engaged an expert security consultancy - who I expect would have relevant security patterns in their bag that just needed tweaking to fit the Zoom model. Given the pressure, I would have focused on getting something out and so they've gone for a barebones but usable within the given constraints, solution. I would hope that they maintain the 6 month cadence in enriching the security solution and making it more user friendly.

  9. Anonymous Coward
    Anonymous Coward

    Trust?

    Trust comes on foot and leaves on a horse, so goes the proverb. After all the ... questionable ... actions done by this company (lied about E2EE and doubled down on it, bypassed browser security, etc), why would anyone install anything from these people? Sure, they fixed problems when/as they were found, but why didn't they build it right in the first place? Not "right" as in error-free because everything will have bugs and snags, but with the right user-respecting intent? It is understandable that the suddenly locked-down Masses stampeded to Zoom to have something, anything, to muddle through work and school, but now that the dust has settled a bit, why do so many people keep using this? "In for a penny, in for a pound" and the fallacy of sunk costs?

  10. EnviableOne Silver badge

    FInally

    it does what they said it did 18 months ago ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021