Zooms end to end encryption, not really end to end.

UnknownSouljer

[H]F Junkie
Joined
Sep 24, 2001
Messages
9,041
UPDATE 2020-04-17: Zoom hires a bunch of security experts to help fix zero day exploits.
https://www.thefpsreview.com/2020/0...-exploits-as-hackers-are-selling-them-online/

UPDATE 2020-04-09: US Senate tells members to not use Zoom, due to ongoing security issues with the platform.
Here are some noteworthy tidbits:
The US Senate has become the latest organization to tell its members not to use Zoom because of concerns about data security on the video conferencing platform that has boomed in popularity during the coronavirus crisis.
...
Zoom was forced to apologize publicly last week for making misleading statements about the strength of its encryption technology, which is intended to stop outside parties from seeing users’ data.
The company also admitted to “mistakenly” routing user data through China over the past month to cope with a dramatic rise in traffic. Zoom has two servers and a 700-strong research and development arm in China. It had stated that users’ meeting information would stay in the country in which it originated.

https://arstechnica.com/tech-policy/2020/04/us-senate-tells-members-not-to-use-zoom/

Here is another source with similar coverage for those wanting something other than Ars:
https://www.reuters.com/article/us-zoom-video-commn-privacy-senate-idUSKCN21R0VU
and
https://www.cnet.com/news/us-senate-reportedly-tells-members-to-avoid-zoom/

===========

ORIGINAL POST 2020-04-02: Consider this a PSA.
For those of us that are more security conscious, especially during this time where we're all stuck taking online meetings, Zoom is an open sieve of security flaws.

According to Zoom, as of today some of the Windows vulnerabilities have been patched up (first link is updated). But without end to end encryption, any and all of the data that Zoom collects could be given to government agencies or sold to big data.

A report published today by The Intercept finds that the claim might be misleading. Instead of end-to-end encryption for audio and video, Zoom offers something slightly different, called transport encryption.
When The Intercept asked Zoom about its encryption capabilities, a spokesperson straight-up responded that they can't do it. "Currently, it is not possible to enable E2E encryption for Zoom video meetings," the spokesperson said, adding, "Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection."

https://arstechnica.com/tech-policy...e-growing-as-platform-explodes-in-popularity/

Attackers can then use the credentials to access shared network resources, such as Outlook servers and storage devices. Typically, resources on a Windows network will accept the Net-NTLM-v2 hash when authenticating a device. That leaves the networks open to so-called SMBRelay attacks, that can be used to gain unauthorized access to various resources. These attacks don’t require a cracking technique to convert the hash to its corresponding plain-text password. Obtaining the hash and replaying it to a network service is sufficient to be authenticated.
https://arstechnica.com/information...rs-steal-windows-credentials-with-no-warning/

Alternatives? I guess: Facetime, Skype, and Google hangouts.
 
Last edited:
Honestly, I hadn't even heard of Zoom until a couple of weeks ago. There are like a billion different little apps in this space, shouldn't be too difficult to find an alternative depending on what you need.

Just video chatting? WhatsApp or Skype are pretty good for that, as is Google Hangouts. Facetime isn't really a viable alternative since it is not cross platform.

Need more collaboration tools? I mean, the sky is the limit these days. Skype for Business or Microsoft Teams work pretty well. As does Go To Meeting. WebEx still does the job. AT&T connect is pretty good too.

I mean, if you look at the Wikipedia page comparing features of different web conferencing tools, there are more of them there than you can shake a stick at.

I don't understand why anyone would use Zoom with their pathetic track record on privacy and security. It's not just now stuff like this is coming to light. Zoom has been criticized for their privacy and security forever. They would be one of my last choices.

I also don't understand why there are so many new entrants like Zoom into such a crowded space, which has been crowded forever. Usually companies try to find a niche that they can excel at, not jump head first into a crowded field.
 
Last edited:
You're not wrong, but all the same - they use it because it is super simple, millions are now suddenly forced to work at home, and they aren't IT folks. It really is super simple to setup and use for the use cases huge numbers of people have.
 
You're not wrong, but all the same - they use it because it is super simple, millions are now suddenly forced to work at home, and they aren't IT folks. It really is super simple to setup and use for the use cases huge numbers of people have.

Is Zoom free? That's probably another reason. My company uses GoToMeeting, but it's not free.
 
Zoom is very popular in the business and education world. Honestly they're always a pleasure to deal with, I have only good things to say about their support. I've admin'd it for a couple years now.

Some of these missteps come down to dumb defaults and them pushing convenience over all other aspects. This is what fucked Ring over not too long ago. So hopefully they learn their fucking lesson for real. They've been bitten multiple times by this kind of shit already. A while ago they were using some goofy hackaround with a web server to save like 1 mouse click to join a meeting on Macs. Retarded and ridiculous.
 
while ago they were using some goofy hackaround with a web server to save like 1 mouse click to join a meeting on Macs. Retarded and ridiculous.

Now that you mention it, I remember that.
 
My company uses (mostly) WebEx. We have been told to use video as little as possible due to our VPN clients being slammed with like 100k+ people.
 
yeah, webex and "lync" (skype) here for work. And no video for any conferencing - cameras are not even installed on the laptops - unless you have some customer contact, then you have special dispensation for video.

It is amazing how many players there are in the space, and how quickly Zoom took hold here...
 
It is not. It has a licensing system.
https://zoom.us/pricing
There is a free variety as well, but comes with limitations. A 40 minute limit being a notable one.
I assume that limit is based on the person hosting? Because my kid has had a couple of virtual playdates, he's 4 don't judge, and they have gone on way longer than 40 minutes... of course I dunno if my wife simply had to hang up and rejoin but we have not paid for any of it.
 
are those playdates one on one? Because the free tier says those are unlimited--the 40-minute limit applies to groups of 3 or more.
 
Last one I peeked in on had 4 different windows, one of which was him of course, and I think there have been more as well.
 
are those playdates one on one? Because the free tier says those are unlimited--the 40-minute limit applies to groups of 3 or more.

Yes, 1-on-1 are unlimited.

If you need more, the host of the meeting must be licensed. The other participants don't matter - they don't even need a Zoom account.
 
ok talked to the wife, said that at 40 minutes you either get cut off, or randomly extended to unlimited time. Maybe since they're collecting all the data they see little kids playing around not people trying to make money off it :D But worst case scenario is someone else makes a meeting and sends out invitations to that.
 
There used to be one*, non-US compromised, p2p tech but MS bought it and destroyed it. Unless one rolls their own, there can be no security and no privacy. You can't trust anyone.

* Skype was the real deal a decade ago. But we can't have that. If someone else comes up with something good, they will have to either sell out, like those guys, or face consequences. Conspiracy much? No, not really. Can't trust anyone. Not the US, not Israel hahahah, not Russia, not EU (a.k.a. US vassals) and no, not China either.

If you have the means (you don't), you roll your own.
 
Honestly, I hadn't even heard of Zoom until a couple of weeks ago. There are like a billion different little apps in this space, shouldn't be too difficult to find an alternative depending on what you need.

Just video chatting? WhatsApp or Skype are pretty good for that, as is Google Hangouts. Facetime isn't really a viable alternative since it is not cross platform.

Need more collaboration tools? I mean, the sky is the limit these days. Skype for Business or Microsoft Teams work pretty well. As does Go To Meeting. WebEx still does the job. AT&T connect is pretty good too.

I mean, if you look at the Wikipedia page comparing features of different web conferencing tools, there are more of them there than you can shake a stick at.

I don't understand why anyone would use Zoom with their pathetic track record on privacy and security. It's not just now stuff like this is coming to light. Zoom has been criticized for their privacy and security forever. They would be one of my last choices.

I also don't understand why there are so many new entrants like Zoom into such a crowded space, which has been crowded forever. Usually companies try to find a niche that they can excel at, not jump head first into a crowded field.

Zoom is not a new entrant, they are used by a huge mass of enterprises, they basically have been wiping webex floor in the enterprise space for years now.

Not arguing any point on privacy concerns, just saying they aren't some small player.
 
Zoom is coded in China and the conferencing routes through servers in China. If you use it for secure communication, you're an idiot.
 
My job uses Zoom for the pleebs, and Webex for those of us in IT and management. I much rather Webex, but most like the simplicity of Zoom.
 
Zoom was never intended to be a common consumer product. It was designed for enterprise use within a domain and/or across VPNs. Thus the medium or environment was security enough. This sudden demand for it has gone outside their intended market. And they are scrambling to fix it.
 
This is yet more justification for not depending on proprietary software solutions and instead investing in Free/Libre Open Source Software (FLOSS) alternatives. This is not to say that any hosted solution is instantly viable if it is FLOSS, but it is much easier to see what protocols are being used, what service is doing what, and the like. Regardless, when it comes to rich presence messaging and collaboration there are a lot of FLOSS options on the table, depending on needs. Centralized, decentralized, or distributed, there are FLOSS communications programs for just about every niche and feature preference.

A good place to start is - https://www.privacytools.io/software/real-time-communication/ - as it lists quite a few software options. For the vast majority of people, Signal works for maximum ease of use drop-in SMS / WhatsApp / AnyMobileMessenger replacement ,and Matrix (at the moment, with the Riot client being the most full featured) is the federated alternative to Slack, Discord, and other rich messaging protocols - it also can run bridges and relays to interact even with proprietary networks. There are other options of course, including those listed in the various categories. Protocols like Matrix along with its various clients and servers could advance even faster if all those who were investing in major proprietary SAAS messaging or other platforms instead concentrated on something fully libre instead.

It is time to focus on a better path forward.
 
security by obscurity. will have same issues ultimately. temp solution
 
I want people to stop demanding video meetings for most things.

Although a fun game to play is "what can I put in the background which is subtle but will freak out an astute observer".
 
In the circles I hang out in (medium enterprise) Zoom has always struck me as the "poor man's WebEx". Before Teams came out, if you were an enterprise looking for a videoconferencing solution you ended up at Zoom because WebEx and GoToMeeting were too expensive.
 
US Senate tells members to not use Zoom, due to ongoing security issues with the platform.
Here are some noteworthy tidbits:
The US Senate has become the latest organization to tell its members not to use Zoom because of concerns about data security on the video conferencing platform that has boomed in popularity during the coronavirus crisis.
...
Zoom was forced to apologize publicly last week for making misleading statements about the strength of its encryption technology, which is intended to stop outside parties from seeing users’ data.
The company also admitted to “mistakenly” routing user data through China over the past month to cope with a dramatic rise in traffic. Zoom has two servers and a 700-strong research and development arm in China. It had stated that users’ meeting information would stay in the country in which it originated.

https://arstechnica.com/tech-policy/2020/04/us-senate-tells-members-not-to-use-zoom/

Updated the OP as well.
 
Every time Skype updates it loses a feature.

Zoom is idiot proof not bullet proof. Its why Apple crushed Blackberry.
Skype and Skype for Business have effectively been treated as two almost entirely separate things for years, with the consumer version getting the shaft. However over the past couple of years, MS has basically stopped doing anything new on the S4B side of things, as they're pushing all of that functionality into Teams, which is it's own mess on the back end. For end users within a business Teams is fairly ok, however administratively it's a UI that is juggling onedrive, o365 groups, skype, sharepoint, etc. as Microsoft tries to cram all that stuff into one application. Last I recall reading, MS was stating they wanted to eliminate skype for business by late 2021 I believe? But that might have been pushed off till 2022. I suspect the normal consumer version of skype is also going to end up in a similar boat with that being rolled into windows live with xbox live just being the gaming branded version of it(and that's likely why it keeps losing features over time).
 
There used to be one*, non-US compromised, p2p tech but MS bought it and destroyed it. Unless one rolls their own, there can be no security and no privacy. You can't trust anyone.

* Skype was the real deal a decade ago. But we can't have that. If someone else comes up with something good, they will have to either sell out, like those guys, or face consequences. Conspiracy much? No, not really. Can't trust anyone. Not the US, not Israel hahahah, not Russia, not EU (a.k.a. US vassals) and no, not China either.

If you have the means (you don't), you roll your own.
The only thing I've seen since that comes remotely close and has better security than og skype (I've used it since early 00s) is retroshare. It's p2p and most secure of any communication solution out there that I'm aware of.

It is time to focus on a better path forward.
As much as signal is easy to use for normalfags, the requirement of cellphone number bullshit is frustrating in 2020. Lose your phone/breaks/don't want to rush to replace/can't update software/don't want to use one? Fuck your signal experience.
Phone-forced communication clients are not a replacement they are just an added layer of reliability compromise and unnecessary complexity.
 
The only thing I've seen since that comes remotely close and has better security than og skype (I've used it since early 00s) is retroshare. It's p2p and most secure of any communication solution out there that I'm aware of.


As much as signal is easy to use for normalfags, the requirement of cellphone number bullshit is frustrating in 2020. Lose your phone/breaks/don't want to rush to replace/can't update software/don't want to use one? Fuck your signal experience.
Phone-forced communication clients are not a replacement they are just an added layer of reliability compromise and unnecessary complexity.

Depending on what features you need, there are libre alternatives for Skype with equal or better security. Retroshare is great, being FLOSS, P2P etc.. but it is designed for existing groups of known users and the like. Retroshare requires invitation from existing users/group members to actually do any communication, so its difficult unless you know people that use/are willing to use it, AND you can communicate with them in some 3rd party way safely in order to let them know the Retroshare invite info. Its great software for its particular use, but it is certainly a "Friend to Friend" network distributed application where you have to semi-manually swap invites via PGP certs in order to connect.

Regarding Signal , I know that the phone number (it can actually be ANY viable number that can receive SMS-style messages. It doesn't need to be a cell, and it CAN be a VOIP number if desired ) can be an issue for some, but that is also its strength. Signal is a replacement for all the other phone-number required/focused mobile style apps out there that most are using, from WhatsApp , iMessage, (Google/Android)Messages, and a bazillion other proprietary messengers in use. Aside from some pretty great crypto (which can be used in other apps and is of course FLOSS), Signal's purpose is as a drop-in replacement for the aforementioned messengers - it uses the phone number as an ID and doesn't need any signups, it can even fallback to sending and receiving SMS/MMS, yet has comprehensive yet seamless encrypted messaging/voice/video calling and even stuff like sticker packs and emoji that many care about. Its not meant to be THE most secure and private option designed for those hiding from state level actors or even something for highly technically adept privacy geeks who will put in time and effort.

Looking in terms of a "phone number required default use messenger" , it is likely the very best option I've seen to date in terms of both privacy/security and ease of use. Given that the vast majority of people fall into this category, its a significant bit of harm reduction to have them using Signal vs WhatsApp / iMessage / Line / Viber / Kakao etc! Because of its ease of use including using the phone number by default, it means that the transition necessary is quite small to get someone onto Signal. All it takes is downloading and installing the app and a simple setup, where they'll find most if not all of their expected functionality from whatever they used to use, plus more! Compare this with some of the more private focused alternatives where they require creating separate accounts, adding friends, manually adding certs, or otherwise have a higher bar . If someone is bothered by the privacy/security implications of a phone number or simply wants another account there are solid FLOSS alternatives , but within its sphere of influence Signal seems to be the best choice
 
You could try jitsi-meet as an alternative:

https://jitsi.org/

https://desktop.jitsi.org/Main/Download

Test it out..
https://meet.jit.si/

There are applications for windows desktop and apps for mobile & plain old web browser calls. Including an appimage for linux & AUR builds for Arch linux (i think there is also an official PPA for ubuntu).
It's 100% FOSS and obviously encrypted, it's also very easy to use. I wouldn't necessarily use this as my only solution for business communication as it is work in progress but it is viable.

you can self host also if that's your jam. just add an instance to your digitalocean platform for instance.
 
Last edited:
Back
Top