Looking for:
Zoom app encryption -
The videoconferencing company Zoom has seen its star rise exponentially during the Covid pandemic, as friends and coworkers increasingly turn to the service for a communication lifeline. With this notoriety, though, has come mounting scrutiny of Zoom's security and privacy practices. Zoom is safe for most people. But as the United States federal government and other sensitive organizations ramp up use of the service, a clearer accounting of its encryption is due. That's harder to achieve than it should be, because Zoom has sent conflicting signals about its encryption approach.
A report in the Intercept on Tuesday noted that, based on its own technical white paper, Zoom had falsely marketed one of its features as making meetings "end-to-end encrypted. The company has since admitted that this is not the case, and now uses the word "encrypted" instead of "end-to-end encrypted" when meetings have the setting enabled.
Zoom still, though, hasn't removed its "end-to-end encrypted" pitch everywhere on its website and in marketing materials. In a blog post about its encryption posted late Wednesday, Zoom attempted to resolve the confusion.
While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. But, in some ways, the blog post only complicates things further. Gal reasonably points out that Zoom can add comprehensive encryption only if everyone in a meeting is logged in through one of the company's apps. If someone joins a Zoom meeting through a regular phone call, for example, Zoom can't extend its encryption to the legacy telephony network.
But Gal further writes that, with the exception of those connections and a caveat for recorded Zoom meetings, "we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.
The post also includes a diagram that seems to depict Zoom's system as being fully end-to-end encrypted for most audio and video calls. Based on the blog post, Aumasson and others point out that the system does not meet the criteria of being end-to-end encrypted because of key management—the logistics of generating, using, and storing the keys that encrypt and decrypt data.
The blog post says that Zoom currently manages and stores all of the keys involved in user data encryption in its own cloud infrastructure. By definition, this means that Zoom is not end-to-end encrypted, even if meetings remain encrypted on their whole route across the internet, because Zoom could use the keys it holds to decrypt the data during that journey.
In the blog post, Gal emphasizes that Zoom has extensive internal controls in place to keep anyone from using the keys to access users' video or audio meetings. Scott Gilbertson. Medea Giordano. Eric Ravenscraft. Louryn Strampe. An analysis of Zoom's encryption scheme, published on Friday by Citizen Lab at the University of Toronto, shows that Zoom does generate and hold all keys itself on key management systems.
The report notes that most of Zoom's developers are based in China, and that some of its key management infrastructure is in that country, meaning keys used to encrypt your meetings could be generated there. It's also unclear how Zoom generates keys and whether they're adequately random or might be predictable. Citizen Lab's investigation found that every Zoom meeting is encrypted with one key that is distributed to all meeting participants, and it doesn't change until everyone has left the "room.
Citizen Lab found that the key does not change when some participants join and leave, and only refreshes when everyone has left a meeting. Citizen Lab also found that Zoom uses an unexpected configuration for its transport protocol, used in delivering audio and video over the internet. Improvising alternatives in this way is often called "rolling your own" cryptography, typically a red flag given how easy it is to make mistakes that create vulnerabilities.
After reviewing Citizen Lab's findings, all the cryptographers WIRED spoke to for this story emphasized that Zoom's centralized key management system and opaque key generation is the biggest issue with the company's past end-to-end encryption claims, as well as its current muddled messaging on the subject.
Other enterprise video conferencing services take a similar approach to managing keys. The issue for Zoom is simply that the company made claims that evoked a much more secure—and desirable—offering.
Adding to the confusion, Zoom's blog post claims that the company can still make many of the guarantees that come with true end-to-end encryption. It seems clear, though, that governments or law enforcement could ask the company to build such tools and the infrastructure would allow it. The blog post also notes that Zoom offers a way for customers to manage their own private keys, an important step toward end-to-end encryption, by physically installing Zoom infrastructure like servers on their own premises.
A cloud-based option for users to do their own key management through Zoom's remote servers is coming later this year, according to Gal. What can the rest of us do? If it is, then why not just say, 'End-to-end encryption will be available later this year'? The fact is that implementing end-to-end encryption with the kinds of features Zoom offers is very difficult.
A free Zoom account can host calls with up to participants. Enterprise Plus tier users can have up to 1, people on the line. By comparison, it took Apple years to get end-to-end encryption to work with 32 participants on FaceTime. Google's enterprise-focused Hangouts Meet platform, which doesn't offer end-to-end encryption, can only handle up to participants per call.
For most users in most situations, Zoom's current security seems adequate. Given the service's rapid proliferation, though, including into high-sensitivity settings like government and health care, it's important that the company give a real explanation of what encryption protections it does and doesn't offer.
The mixed messages aren't cutting it. Andrew Couts. Lily Hay Newman. Matt Burgess. Justin Ling. Kate O'Flaherty. Most Popular. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University.
Read more. Senior Writer Twitter. Topics encryption messaging security Zoom. Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help. Plus: Indian hacker-for-hire groups, Chinese student espionage efforts, and more.
Putting sensor-packed Chinese cars on Western roads could be a privacy issue. Just ask Tesla. The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found. Plus: Google issues fixes for Android bugs.
No comments:
Post a Comment