Zoom finally adds end-to-end encryption for all, for free – though there are caveats Zoom has finally added what it says is end-to-end encryption to its video conferencing service at no additional cost for all users, whether they are paying subscribers or not. The feature has been long awaited given the service’s massive take-up as a result of pandemic lockdowns: something that swung a spotlight on its patchy …
Sorry to burst the PR bubble, but while the Zoom client and its encryption engine remains closed source Zoom can absolutely decide to break into an "E2EE" video chat with a simple update or even a list of users that Zoom has a second (backdoor) key for. All we have is a weak pinky promise that they won't listen in, so this is just a feel-good feature mostly saying they're not intentionally mass-hoovering the contents of every single conference that happens on their platform.
Give us an open source client that we can verify the encryption for, then there might be some actual confidence in this. Until then this is security theatre at its finest.
Agreed, OS is definitely the target for optimal Trust. But achieving it could cause serious delay. So I would settle for a formal security audit signed off by one or two of those we trust in the Crypto/Security community. Bruce Schneier and Ross Anderson spring to mind.
The reason that waiting for the OS version might cause significant delay is that their current codebase is likely to contain both legitimate commercial secrets which could advantage their commercial rivals and/or embarrassing kludges and admissions which they wouldn't want the world to see. Anyone who's written extensive code of their own will be familiar with that problem.
It is more important to get the product out there as soon as possible if only for the massive boost it will give to the E2EE awareness campaign. Even if it turned out to have NSA mandated/engineered backdoors in it, the eventual and inevitable exposure of those would, ultimately, further the cause.
So publish and be damned say I.
>open source the code
There is the Jitsi video conference software suite and the 8x8 service - however just a small problem of catching up with the ubiquity of Zoom...
"people will not be able to dial-in nor use devices that won’t support the end-to-end crypto. Third-party software that works with Zoom will also not work with the system"
A doctor of my acquaintance used to give first aid lectures. Once, when he challenged a student for not paying attention, he got the reply "but doctor, we're not really trying to do this". The same seems to apply here - this is a minimalist marketing driven response to customer feedback.
I'm pretty sure Zoom aren't actually interested in the content of conferences; they just can't be arsed to make the effort to secure them properly and conveniently because it doesn't affect the revenue stream. But they must be seen to "be doing something".
Who here trusts an encryption setup designed and deployed in only six months? People who think that's possible think "yeah we'll use AES-256 and that guarantees it is secure" while ignoring that 99.9% of encryption exploits rely on faults in the way it is implemented, the way keys are negotiated/communicated, etc. and not a weakness in the encryption scheme itself.
Remember they engaged an expert security consultancy - who I expect would have relevant security patterns in their bag that just needed tweaking to fit the Zoom model. Given the pressure, I would have focused on getting something out and so they've gone for a barebones but usable within the given constraints, solution. I would hope that they maintain the 6 month cadence in enriching the security solution and making it more user friendly.
Trust comes on foot and leaves on a horse, so goes the proverb. After all the ... questionable ... actions done by this company (lied about E2EE and doubled down on it, bypassed browser security, etc), why would anyone install anything from these people? Sure, they fixed problems when/as they were found, but why didn't they build it right in the first place? Not "right" as in error-free because everything will have bugs and snags, but with the right user-respecting intent? It is understandable that the suddenly locked-down Masses stampeded to Zoom to have something, anything, to muddle through work and school, but now that the dust has settled a bit, why do so many people keep using this? "In for a penny, in for a pound" and the fallacy of sunk costs?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
