Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Encryption

Zoom's New, Stronger Encryption May Only Protect Paying Clients (newsweek.com) 21

"Zoom plans to strengthen the encryption of its service for paying customers," reports Newsweek, "but the upgrade will not be available to users of its free service." Zoom security consultant Alex Stamos later confirmed the details of the reported move in an interview with Reuters, which first reported the changes on Friday. But he also told the news outlet that Zoom's plans could still change. "The CEO is looking at different arguments," Stamos said.

"The current plan is paid customers plus enterprise accounts where the company knows who they are." In the wake of privacy concerns, he added that Zoom was making significant efforts to upgrade safety and trust on its platform. In an emailed statement to Newsweek, a Zoom spokesperson said: "Zoom's approach to end-to-end encryption is very much a work in progress — everything from our draft cryptographic design, which was just published last week, to our continued discussions around which customers it would apply to." The tech company's plans to boost the encryption of video calls on its platform have been revealed a month after it was reported that half a million Zoom account credentials were being sold on the Dark Web.

Zoom's increased usage during lockdowns brought increase scrutiny, reports CNET, which "revealed several Zoom security problems and the fact that an earlier Zoom boast of end-to-end encryption was baseless."
This discussion has been archived. No new comments can be posted.

Zoom's New, Stronger Encryption May Only Protect Paying Clients

Comments Filter:
  • Hospitals are using this for patient encounters, they've had US-based data center and end to end encryption for a long time.

    The fact that the free version doesn't have it doesn't make it insecure, it makes you a cheapskate. Free/trial versions never have the full feature set.

    • Except that they did not, despite the promise on the website. Their definition of end-to-end was https from client to server and then from server to client. This was sort of the the main problem...
    • Hospitals are using this for patient encounters, they've had US-based data center and end to end encryption for a long time.

      The fact that the free version doesn't have it doesn't make it insecure, it makes you a cheapskate.

      Yes, I am. I have no need for Zoom unless someone else insists on me using it to communicate.

      Free/trial versions never have the full feature set.

      Well now, isn't that the truth. Which means I am basing my opinion of the service on a crippled version. Great marketing there, Lou! And after the whole privacy issue [vox.com] with them, it is another black mark against them. (I do not give a shit what the CEO says. I will not trust them until it is PROVEN that it is true and the burden of proof is on them.)

      I have become incredibly cynical with current online services. W

    • So zoom only protects itâ(TM)s customers ( as the saying goes, if you are not paying you arnâ(TM)t rhe customer, youâ(TM)re the product), a why would you expect them to care about non costumers ( unless them not caring effects their ability to collect data fron therir users fir their reak customers ie CCP and/or advertisers). Or am I just beefing cynical here
  • "Zoom's approach to end-to-end encryption is very much a work in progress..."

    Either it's E2E-encrypted or it isn't. That statement means it isn't.

    • "Zoom's approach to end-to-end encryption is very much a work in progress..."

      Either it's E2E-encrypted or it isn't. That statement means it isn't.

      For two parties true. Much more challenging when there are more than two people on the call because you have to define what the "ends" are. If you have three people, you either have a hub and spoke data transmission model where three ends that share a common encryption key (not technically end "end to end" as more then two parties share a key) or each party has a separate end to end channel with the other two endpoints (doubling the bandwidth for each party and gets way worse as you scale up the number of p

      • Yes, I know all that. I don't care that it's a harder problem. Until they solve it, they shouldn't ever call it end-to-end encryption since most people consider that to mean that the bits are at no time unencrypted except for participants.
      • Public Key Encryption:
        Everyone in a meeting encrypts to host, host encrypts to attendees.

        • by Nkwe ( 604125 )
          That's the hub and spoke model where the host or hub has access to the unencrypted data - The whole point of end to end encryption is that only the end users get to see the clear text and the service provider doesn't.
  • by hankwang ( 413283 ) on Sunday May 31, 2020 @04:20PM (#60128928) Homepage

    If the host of the meeting is a paying customer, will all participants get E2E encryption?

    At least, with the other perks for paying customers (time limit on meetings, maximum number of participants), only the host needs to pay.

  • As of today (May 31), Zoom [support.zoom.us] states:

    "Beginning May 30, 2020, all Zoom clients must be on 5.0+ in order to join any meeting, as GCM Encryption will be fully enabled for all Zoom meetings. This also applies to Zoom Rooms."

    "Do I need to be a paid user to have GCM encryption? No, all accounts will use GCM encryption once enabled on May 30."

    "Can I opt out of GCM? No, this is a required change for all accounts on the Zoom backend."

    So if these statements are accurate every account, paid or unpaid, will have GC

  • Zoom is proprietary. I will never and have never trusted such solutions, when privacy matters. Check out self-hosted Jitsy, Mumble, or NextCloud Talk.
  • Communication and training are key to preventing any accidents. Local Law 196 of 2017 went into effect on October 16, 2017. It created new requirements for construction site safety training courses. Workers must complete a total of 40 hours of training by September 1st, 2020 in order to qualify for a Site Safety Training (SST) Card. You can do it online, for example, https://www.ablesafety.com/cou... [ablesafety.com]

Real Programmers think better when playing Adventure or Rogue.

Working...