Originally published at: https://boingboing.net/2020/06/17/plagued-by-security-woes-zoom.html
…
Actually, Zoom stopped being plagued with security woes back at the start of May, when they released version 5.0 of their platform which included robust end-to-end encryption for paying customers. This release really did fix a lot of their crappy patchwork of bad security.
What they suffered after that have not been what would normally be considered “security woes”. What they have received instead is ongoing bad press for not offering end-to-end security to all their free clients, too. Zoom has a valid point in that they have encountered past situations where abusers misused their service, and some are clearly criminals that need to be stopped (stalkers, predators, abusers, etc.)
Their new proposal offers the same strong encryption to all users (although as a per-meeting option that is not on by default), but in order to participate in an encrypted meeting, the free users will somehow have to identify themselves to Zoom (“enter your phone number so we can text you a code”.) This will enable Zoom to provide a bit of identifying information to investigators if someone reports a user. It will also allow authorities to subpoena the identity information of participants in a meeting, although Zoom’s new encryption protocol keeps the content private.
Zoom has matured a lot since the start of the pandemic. It seems a shame to keep accusing them of something they quickly fixed.
Is that based on a verifiable code audit?
No, it’s based on their key exchange protocol, published on github. From what I can tell after reviewing version 1, the key exchange does a good job of ensuring Zoom (or any non-meeting-participant) doesn’t have the ability to decode packets.
While a rogue client could violate the secrecy of their key, if Zoom were distributing those that would be their death knell. Their software is under scrutiny from a lot of people these days (including the corporations who demanded the improvements), and a deliberate security violation would likely be caught.
They acknowledge this in their protocol paper: “Software flaws: Zoom’s client code or the third-party libraries it links against can have bugs, or worse, intentional backdoors. Zoom’s binary build procedures might become compromised. In these cases, there are no good guarantees we can make. Zoom relies on extensive analyses by independent third party auditors to reassure customers in this domain.”
Are we sure that’s not an end to encryption?
It’s rather too little, too late. It doesn’t matter what Zoom promises in the way of encryption and - more to the point - it doesn’t even matter what they do to implement it. We already know, after their shuttering of non-Chinese accounts at the request of the Chinese gov’t, that if the Chinese (or any even vaguely ominous authority figure) ever asks for the encryption keys for their scheme, Zoom will hand them over without hesitation.
This is not really security at all. It’s window-painting.
Can’t they just get that from the BoingBoing Store?
Zoom can’t hand over the keys as their new key exchange protocol doesn’t ever put the keys in Zoom’s servers; unless they’re turned over by a meeting participant colluding with the Chinese government.
Zoom certainly can turn over a participant list of each meeting, so the Chinese could put together a list of who contacted who, and when. For their purposes, that’s likely enough to arrest people. But what is spoken at the meetings will remain undecipherable.
Because of the possibility of identification, when the meeting, and other meta data factors–that itself isn’t secured or for a better word, private. Which makes it still a legitimate security concern.
Of course, I would recommend another method of online meeting altogether.
Notwithstanding your helpful reply, it’s the bits around the key exchange I worry about more. Things like WhatsApp’s quiet changing of keys on reinstall.
Then definitely read their protocol paper. You’ll see they have an answer for that, too, which is to use the keys generated when a client is first installed as a kind of alpha key that has to sign any new client keys generated on other machines; entering a meeting on a new client without having the alpha key sign it will show a warning to all other participants.
They have accounted for many scenarios, such as any time a participant enters or leaves a meeting will cause the leader to generate a new ephemeral meeting key; they also put a fifteen second limit on these key changes to prevent thrashing by an adversary. There is a heartbeat message that goes out to all participants containing a signature of the meeting’s keys, so that changes can’t go unnoticed.
The protocol looks thorough. It’s evident that Zoom really wants this to be open and trustworthy. They started by considering that a corrupt Zoom administrator would be their worst case scenario, and have designed it such that Zoom servers are unable to eavesdrop on a secured meeting. If you are even at all concerned, I strongly recommend you read their paper — don’t rely on others to interpret it for you.
If they are genuine, then that’s good news. I’m a little sceptical that the culture has changed though, and I think that’s the most important part of effective security. I say this only in view of how difficult it is to change corporate culture.
Corporate culture changes can be difficult, but sometimes they’re successful when driven by forces outside of the company’s control. For example, I watched an ocean liner make a sharp 180 degree turn after a data breach.
Zoom received a similar wake-up spanking as companies flocked to them at the start of the pandemic: hundreds of their brand new million-dollar contracts threatened to walk away if they didn’t get their “security woes” fixed right now. As evidence, this new encryption model is a complete breaking change from their old software. That’s not something a company normally does without a year of planning and coordination, and they did it in one month.
I know I probably sound like a fanboi at this point, but every thing they’ve visibly done to sort this out has been to take the right steps from both a corporate and infosec point of view.
We’ll see how long it lasts, of course.
Thank you - I didn’t realize Zoom didn’t have access themselves.
This topic was automatically closed after 5 days. New replies are no longer allowed.