After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops

Government communications

The UK Gov has had a secure communications team working near a train maintenance depot in southern middle England for decades. Their kit is used for secure communications with embassies abroad, for instance.

Do they really not have a video versions?

Re: Makes my job harder

I'm not getting this whole "decrypted at the server" thing... They have a separate TLS encrypted channel which distributes a one-time key to all participants and I'm sure I've read somewhere in Zoom's docs that the video and audio is then sent through their servers in its encrypted format so that only participants can access it. So that's basically end-to-end encryption.

In spite of some naive mistakes which aren't ideal, the product has essentially been secure enough most use cases for ages and is now improving to be even tighter.

The "zoom bombing" stories of late seem to be mainly down to users publishing private meeting links and most recently also either disabling the waiting room or approving people to join without checking who they are.

There's only so much that can be done to mitigate some of the user errors - Zoom's trying to do what it can and it now has very clear guides about to use the service safely

Personally I find the new default waiting room to be a pain and I certainly get the argument that it may be putting off some users. I'm sure it's very useful in some scenarios but for smaller private meetings I've turned it off.

For now I'm continuing to use it and pay a subscription because it's by far the best and most reliable tool I've tried.

Teams is just horrible and hangouts feels terribly basic although I really like the automatic closed caption transcript feature. The current 4 (visible) videos limitation is an especially big drawback in my view. Zoom is slick and scalable, feature-rich, fast and stable so I use it for everything from business meetings to chatting to my family.

Re: Makes my job harder

"persuading higher powers to read the Ts&Cs"

Nobody expects to have to read the T&Cs (or the Spanish Inquisition).

Re: Makes my job harder

"Already having enough trouble persuading higher powers to read the Ts&Cs before signing up"

If you have a legal department (and assuming you aren't that legal department!) you could simply get into the habit of running all T&Cs past them. That way they can intervene with the higher powers.

Re: Makes my job harder

You're forgetting one vital part of these conferencing systems - they ALL have to be able to be decrypted by the servers of the company if you want to be able to use features like the ability to join the conference by telephone.

If the supplier can't decrypt the streams on their servers, how do they get at the audio to send it to the telephone participant, and how do they inject the telephone participant's audio into the conference?

Nice so they respond "Zoom is not malware" even though it was a question based on a decision in software to bypass the security of an OS to bypass the need to press one button.

"They need to put more effort in to the details."

Nobody puts any effort into the details - which is why, four decades into the life of internet-based services, we have a constantly worsening security position.

The sad reality is that almost all of us are running on autopilot with attention reduced to mere collision avoidance, and services and systems developers are drawn from the same population.

Unless you're using Linux, in which case you get version 3.5.392530.0421

It might say version 5.0.0.0 on the file details, but when launched after updating it's showing 4.6.12 (20613.0421) on the splash screen, and the file version is 4.6.20613.421 when I check in Users/ AppData/ Roaming

Re: So they are using AES-GCM? and decrypting at the server? With what keys?

Yes those were all the questions my mom was asking before being able to see video of her new grand daughter.

Meanwhile my condo association has switched to holding their online meetings.over quantum fibre links from their individual tempest screened classified data centers.

Wait till el'reg readers find out what level of secure key distribution is used by their landlines phone

Re: So they are using AES-GCM? and decrypting at the server? With what keys?

"What does "using AES-GCM" even mean?"

AES-GCM is an implementation of Galois/Counter Mode which gives high speed encrypted comms on inexpensive hardware. NIST Special Publication 800-38D gives guidelines for reducing stream cipher attack and I'm guessing that Zoom's techies didn't bother to read it, because it sounds as if they are using nonces more than once. GCM isn't good at handling large messages because there's a relationship between short tags and large messages that permits an attacker to construct a ciphertext forgery with increasing probability of success. If the attacker has a good run of success they can determine the hash subkey which means that the authentication assurance is compromised.

AES-GCM is used widely and gives decent security if used in compliance with NIST guidance. Fail to implement it properly and there's not much point using it.

Re: Microsoft monitoring

In most cases yes, because they offer meeting recordings and live transcripts. Those two things are quite difficult to do without access to the stream. Same goes for the business versions. That's not a surprise and they've never claimed that it's end to end encrypted.

Re: Dumteedumers

What a treat for all those that just joined the room to have a look lol