Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing

An anonymous reader shares a report: Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings. With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using "computer audio" instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom's website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption. Further reading: Regarding Zoom.

The Slack

[ogar572]

of video conferencing

Their datacenter is in China.

[waspleg]

As such they are required to provide any and all information to the CCP at their request without a shadow of the due process and rule of law in the West.

If you're doing this for a local book store that usually has an in person get together like once a month (like my wife attends) it's fine. If you're going to talk about trade secrets, you're a moron.

Re:

[DontBeAMoran]

Listen to waspleg! Don't be a moran!

Re:

[pak9rabid]

Isn't that just one of many places they have data centers, and only to service their Chinese customers?

Re:

[DontBeAMoran]

Sounds like a real possibility, most companies (have to) do that.

Re:Their datacenter is in China.

[bhcompy]

The founder/CEO is Chinese, which in the technology world should always add a level of skepticism when it comes to data security(at least as it pertains to Chinese govt access).

Re:

[CaptAubrey]

Do you have a reference to back up that assertion? Not trying to be difficult, I can't find that fact on the web.

Re:

[barcarolle]

Hi, Mr. State Department! Got any new fun sanctions for us today?

Re:

[darkain]

This is just bullshit FUD. If literally every single connection through ZOOM ran through China, then latency would be through the roof.

Global telecommunications companies have regionally distributed datacenters all over the world, this is normal. This is also often required by local law to have local data centers, so content doesn't leave the boarders of the country.

If you're in any country outside of China, odds of your traffic hitting a Chinese data center is next to zero.

The fact that post is modded +5 I

Re:

[gnunick]

If you're in any country outside of China, odds of your traffic hitting a Chinese data center is next to zero.

Right.

Except... when you're in government, or are an interesting company in an industry that they're interested in snooping on, then they could easily gather all of the next-to-zero percentage of the overall traffic produced by you and others like you... and store it wherever the hell they wanted, no?

As the OP said, "If you're going to talk about trade secrets, you're a moron."

Same goes if you're a state or local government agency.

If it's an under-lockdown birthday party playdate your kid is "attending" via

Except BULLSHIT

[SuperKendall]

Except... when you're in government, or are an interesting company in an industry that they're interested in snooping on

Zoom is not run by the Chinese government, so why would Zoom do any of that and risk arrest?

You are an Idiot. Please note that I was capitalized.

Re:

[darkain]

AWS has a pair of China regions available...

Are you going to accuse literally every single company in the world who uses any AWS infrastructure of the same?

If so, please turn in your internet card at the door, because there is basically nothing left for you to use here.

Re:

[i.r.id10t]

Except for a LOT of the folks you say may need to watch what is happening - state/fed govn't stuff, etc - suddenly had to start working from home in the past few weeks for some silly reason.

And I know Zoom sent out mails to .edu places saying "come use us free for a few months and see if you like it" as did just about every other online meeting, online course delivery, screen sharing, screen recording, etc. company out there. While I know the education dollars are tempting, I'm also fairly sure quite a few

Re:

[kriston]

Well, there was that BGP leak that routed US traffic through China that one time (that we know of).

Re:

[tradica]

What if you're the British Govt? https://i.imgur.com/1L8azlF.png [imgur.com]

It's even better!

[ceoyoyo]

It's actually end-to-end-to-end encryption! It's even better than end-to-end! There's an extra end!

I think I missed my calling as a marketing exec.

Re:

[AleRunner]

"double end to end encryption" double plus good.

Re:It's even better!

[ceoyoyo]

A linguistics professor was lecturing a class. He explained that there are languages where a double negative is a positive, and where a double negative is a negative. But there are no languages where a double positive is a negative.

From the back row he hears: "Yeah, right."

Re:

[gweihir]

You know, they probably encrypt twice in OFB or CTR mode for even better security!

Re:

[mspohr]

Best to apply ROT-13 twice!

Re:

[ceoyoyo]

Amateur. Four times is four times as good. That's one of the reasons ROT-13 is so great: it's fast enough you can easily apply it several times.

Re:

[gweihir]

You really are stuck in the dark ages! Use ROT-26 just once, and you have even better security!

Re:It's even better!

[im_thatoneguy]

I mean they don't hide it at all. They state:

Cloud Recordings are processed and stored in Zoomâ(TM)s cloud after the meeting has ended; these recordings can be password protected or available only to people in your organization.

Clearly Zoom's servers have to have access to one 'end' of the contents of a meeting if they are being recorded and stored. They also only use the term End-To-End here

End-to-End Chat Encryption allows for a secured communication where only the intended recipient can read the secured message.

So the text chats are End-to-End but the video and audio is accessible by Zoom to allow the service to do its servicey things.

Also if they are HIPAA compliant then that's good enough for my security needs.

Re:

[ceoyoyo]

It's perfectly possible for zoom to archive an encrypted recording that they cannot decrypt.

Zoom says they are HIPPA compliant... if you give them $200 a month. Like Google I guess: if you pay them, they won't sell your data. If you don't, prepare to be mined.

Re:

[freeze128]

Well, that's only if you CHOOSE TO RECORD a meeting. If you don't, then no recording is made.

Does Grandma care?

[chispito]

Zoom seems great, but does it really strike you ask a good pick for business or anything else confidential? Does Grandma really care if it's encrypted?

People don't understand what E2E means

[Octorian]

Unfortunately, this isn't terribly surprising. The problem stems from most people (including tech people) simply not understanding the difference between "encrypted" (client-to-server) and "end-to-end encrypted" (client-to-client). I've even heard people outright assume that end-to-end meant "from your end to ours", as this article claims Zoom was.

This first became painfully obvious to me when a product I used to work on first announced that it was now "end-to-end encrypted." In so many comments online, the initial reaction was simply "You mean they weren't encrypted before?". (Of course it was encrypted before. Its just that it was client-to-server before, like everyone else does.)

Re:

[timeOday]

I can't think of how you would verify that something is end-to-end encrypted anyways. With an untrusted client at either end, you simply don't know.

Microsoft and Apple should build end-to-end encryption into Windows, just for media. The application would have no way to know what audio or video it was playing, that would have to happen in a layer beneath the app and above a trusted/signed driver. A "good" use of DRM.

I know, I know, you can balk that Microsoft and Apple aren't trustworthy, but it wou

Re:

[gweihir]

Indeed. The problem is that most people do not understand attack modelling at all. In actual end-to-end you have to attack the endpoints to get at the content and nothing else will help (provided the encryption is good).

Re:

[anegg]

I think there has been a shift in the meme "end to end encryption. For most of my professional journey in telecommunications, end-to-end stood for "endpoint to endpoint", and a multi-point conference server was definitely an "end point" as it had lots of audio and/or video processing that it needed to do in order to provide the conference service (things like transcoding from one format to another etc.). At some point people who probably were not familiar with the "endpoint to endpoint" (with the server b

Re: People don't understand what E2E means

[reanjr]

WebRTC works just fine, it's supported by all major browsers, and delivers video and audio with end-to-end encryption.

So, I would expect Zoom to work like that. Except then why would Zoom even exist if they just used an open and secure protocol? Where's the money in that?

Slashdot's Alternatives?

[0100010001010011]

Se we're aware the Zoom, Slack, Discord, * all "suck".

So what is a FOSS, self hosted alternative that offers the features of the above with the ease of use for the *Non* Slashdotter?

Mattermost? RocketChat? Jitsi? What alternatives have people actually setup and used regularly?

Re:Slashdot's Alternatives?

[profke]

I've used and recommended Jitsi to a number of (non technical) people. They love it! You can do video meetings, record it, invite people, etc etc. It is a pretty comprehensive package!

Re:

[waspleg]

Never heard of it, looks interesting, thanks.

Re:

[ArchieBunker]

Can't decide which name is more terrible Jitsi or Devuan.

Re:

[0100010001010011]

This name originates from the Bulgarian "" (wires)

Damn other languages for existing.

Re:

[labnet]

We tries Jitsi last week with 8 people and the latency and audio feedback issues made it unuseable. The team had to go back to zoom.
This was using Synologies Jitsi service, so that may have been the issue.

Re:

[Lose]

We tried to roll jitsi internally along with jibri because of the need to host webinar like meetings with the platform. It was, by all accounts, an absolute shit show and waste of hours.

This was after the youtube integration with Google Hangouts was retired last Fall. Zoom would not have functioned with the particular equipment we were using at the time in the fashion it was required. However, after countless audio sync issues, streaming equipment near catching fire due to the loading from all the softwa

Re:

[gweihir]

I am using mumble (voice only) with my own server, but the server-side config is somewhat obscure.

Re: Slashdot's Alternatives?

[reanjr]

https://www.google.com/search?... [google.com]

Re:

[scdeimos]

Se we're aware the Zoom, Slack, Discord, * all "suck".

You left Microsoft Teams out of that list. Apparently Apple thinks it sucks so much that they won't allow Microsoft Teams into the macOS App Store with all of the other Microsoft Office apps. You have to download a .pkg installer from teams.microsoft.com and trust that they're not back-dooring your computer with all of their telemetry crap - which, of course, they are and is why Apple won't allow it in the macOS app store in the first place.

Trust

[bhcompy]

Use a trusted domestic company instead if encryption is a worry(which it generally should be, particularly for business communications). Doesn't guarantee much other than accountability and some semblance of standards, but it's better than nothing. Citrix, Cisco, and Microsoft all have superior products to Zoom, and their CEOs aren't Chinese nationals

Is it even possible

[doconnor]

Wouldn't end to end encryption require that each user send a copy of their video stream to each participant encrypted with a different key, requiring much more bandwidth.

Re:Is it even possible

[Cajun Hell]

No, you'd just have a structure at the beginning of the stream where a copy of the session key is encrypted once, using each recipient's public key. Not big at all, especially within the context of audiovideo streaming! You're throwing around gigabytes and worried about a few extra copies of 128-to-256-bit keys?

This is the Netflix era. Whatever else you're doing in addition to AV, probably isn't within a few orders of magnitude as the size of the AV itself.

Re:

[doconnor]

Yes, that would probably work.

Re:

[gweihir]

Wouldn't end to end encryption require that each user send a copy of their video stream to each participant encrypted with a different key, requiring much more bandwidth.

Nope. You can do end-to-end in an 1:n fashion. After all each endpoint already has the full stream and hence no reason to attack the others. But since multicast does not really work, there is a separate stream going to each receiver anyways.

Re:

[0100010001010011]

I don't know about Video, but you can setup multiple recipients in GPG and the magic math does the rest.

Open Source video conferencing: BigBlueButton

[kbahey]

There are a couple of open source video conferencing solutions out there.

Thanks to a member of our local LUG [kwlug.org], who setup instances for us to tests, we can tell you what works and what doesn't.

First, Jitsi [wikipedia.org] was tested. It was found to be CPU intensive on the client side. Some say this is specific to Firefox only, and Chrome does not suffer from that, but it was unusable.

Then he setup BigBlueButton [wikipedia.org] on an Intel Core i7 desktop. It worked perfectly. The sound was clear, and CPU usage was reasonable on Firefox (from Xubuntu 18.04). I was also able to get Opera to work with it. Falkon did not work.
There is no need to install anything on the client, since it only needs a browser with WebRTC. That is very convenient.

One caveat: it runs on Ubuntu 16.04 LTS (not the current 18.04). And it required some hoops to go through to open ports.

Re:

[DontBeAMoran]

Dude, anything is going to "work great" on a freakin' Intel i7. Only a small minority have those in their computers. I don't know if you're aware, but some companies are still selling Atom-powered laptops.

Re:

[kbahey]

Read my post again: there is nothing to install on the client (meeting participants).

The Intel Core i7 is the server that runs the BigBlueButton server software.
The client is just about anything. Mine is a Core i5 laptop with just Firefox.

Re:

[pak9rabid]

Isn't BigBlueBotton also implemented using Flash?

Re:

[kbahey]

Isn't BigBlueBotton also implemented using Flash?

It used to be, but it is no longer so.

Now it uses WebRTC, and works really well.

Re: Open Source video conferencing: BigBlueButton

[aRTeeNLCH]

FYI, on Fennec (F-Droid Firefox) on Android, jitsi works fine on relatively recent devices, only on older Galaxy S4 had a bit of an issue. But that is a 7 year old device...

Did you generate a key?

[Cajun Hell]

Did you generate a key and then share it out of band with the people you're communicating with?

If you can't say "yes" with certainty to that question, then you have no reason to suspect that you might be going things securely. It might actually be technically "end to end encrypted" but that doesn't mean it's even slightly secure, because you have no idea how the key(s) were generated, and who has them.

Fun fact: and besides the fact that you're using shitty encryption, by using someone else's service to en

Re:

[goose-incarnated]

Did you generate a key and then share it out of band with the people you're communicating with?

If you can't say "yes" with certainty to that question, then you have no reason to suspect that you might be going things securely.

Of course you can. You can't verify the identify of the other party but you can certainly communicate with them without anyone eavesdropping.

Re:

[Cajun Hell]

You can't verify the identify of the other party but you can certainly communicate with them without anyone eavesdropping.

You and your friend can communicate through an eavesdropping middleman without anyone else eavesdropping? Maybe, but only if your first eavesdropper had the good sense to verify you both.

Re:

[goose-incarnated]

You can't verify the identify of the other party but you can certainly communicate with them without anyone eavesdropping.

You and your friend can communicate through an eavesdropping middleman without anyone else eavesdropping? Maybe, but only if your first eavesdropper had the good sense to verify you both.

Seems like you are repeating what I just said. Just because you can't verify identity of the peer does not mean that anyone else can listen in. So, sure, you could be talking to the wrong peer, but you'll be talking securely.

But it works

[lorinc]

So far, it's the only thing that works with 10+ persons in video. All the other I have tested (webrtc, skype, hangouts, adobe connect, starleaf) do not work properly when there are more than 10 participant that stream their video.

I'll gladly accept other propositions to test, but so far, only zoom was somewhat usable.

(Needs to work with linux, win and osx with a backup telephone communication for those who are not admin of their computer)

If not E2E, then they cannot be HIPPA-compliant

[ethanwilde]

I am no expert in HIPPA-compliance, but the authorities I've reviewed all indicate that true E2E encryption if a requirement to be HIPPA-compliant. That appears to suggest that Zoom is defrauding medical professionals using the Zoom BAA (Business Associates Agreement) accounts, which cost upwards of $200 per month and explicitly claim HIPPA-compliance. Class action, anyone?

Re: If not E2E, then they cannot be HIPPA-complian

[reanjr]

My guess it that HIPAA designates compliant data processors. Zoom is like a medical supplier used to ship you your drugs. As long as both parties are HIPAA compliant, then there are simply two compliant end-to-end encrypted transactions between parties.

Telehealth?

[nerve8]

I think the telehealth is supposed to be end to end encrypted for chat and video. https://support.zoom.us/hc/en-... [support.zoom.us]

Screen capture of British Govt using ZooM

[tradica]

https://i.imgur.com/1L8azlF.png

It's a feature, not a bug...

[Maxwell]

If they did true end to end they wouldn't be able to offer services such as Transcription and cloud recording and (As explained in the article) switching to the active speaker would be very difficult as well. All three of these are key features for us.

If you dont want those features, install Zoom's Meeting Connect on your premises and host your own meetings by your self.

Communication passes through Zoom’s cloud

[notdecnet]

“The content is not decrypted as it transfers across the Zoom cloud [theintercept.com] ”

Why would this, not-really end-to-end communication need to pass through Zoom’s cloud, in the first place?

Re:

[Lose]

Zoom allows you to record webinars, meetings and such and then share the recordings as a link to whoever you choose. Their webinar integrations also need a way to direct the meeting to streaming platforms like youtube.

I think its wrong for them to claim end-to-end encryption as a feature for their platform. But to support features like that, I think it would be rather difficult for them to avoid stages of decryption and then re-encryption just due to the nature of how they must work.

WTF?

[ZuckFucker]

What incompetent douchenozzle developed this piece of shit?