2/17/2024 0 Comments Zoom qr code video star![]() The issue for Zoom is simply that the company made claims that evoked a much more secure-and desirable-offering. Other enterprise video conferencing services take a similar approach to managing keys. "It sounds like Zoom solved a lot of the hard problems, but didn’t go all the way," says Johns Hopkins University cryptographer Matthew Green.Īfter reviewing Citizen Lab's findings, all the cryptographers WIRED spoke to for this story emphasized that Zoom's centralized key management system and opaque key generation is the biggest issue with the company's past end-to-end encryption claims, as well as its current muddled messaging on the subject. Improvising alternatives in this way is often called "rolling your own" cryptography, typically a red flag given how easy it is to make mistakes that create vulnerabilities. Citizen Lab also found that Zoom uses an unexpected configuration for its transport protocol, used in delivering audio and video over the internet. Citizen Lab found that the key does not change when some participants join and leave, and only refreshes when everyone has left a meeting. "It would help if Zoom were more clear about how keys are generated and transmitted," Teserakt's Aumasson says.Ĭitizen Lab's investigation found that every Zoom meeting is encrypted with one key that is distributed to all meeting participants, and it doesn't change until everyone has left the "room." Conceptually, this is a legitimate way to encrypt video calls, but its overall security depends on a number of factors, including what happens in situations where only some people join or leave the meeting after it has started. It's also unclear how Zoom generates keys and whether they're adequately random or might be predictable. The report notes that most of Zoom's developers are based in China, and that some of its key management infrastructure is in that country, meaning keys used to encrypt your meetings could be generated there. In a blog post about its encryption posted late Wednesday, Zoom attempted to resolve the confusion.Īn analysis of Zoom's encryption scheme, published on Friday by Citizen Lab at the University of Toronto, shows that Zoom does generate and hold all keys itself on key management systems. Zoom still, though, hasn't removed its "end-to-end encrypted" pitch everywhere on its website and in marketing materials. The company has since admitted that this is not the case, and now uses the word "encrypted" instead of "end-to-end encrypted" when meetings have the setting enabled. A report in the Intercept on Tuesday noted that, based on its own technical white paper, Zoom had falsely marketed one of its features as making meetings "end-to-end encrypted." That would mean video call data is encrypted at all times in transit, such that not even Zoom could access it. ![]() ![]() That's harder to achieve than it should be, because Zoom has sent conflicting signals about its encryption approach. But as the United States federal government and other sensitive organizations ramp up use of the service, a clearer accounting of its encryption is due. With this notoriety, though, has come mounting scrutiny of Zoom's security and privacy practices. The videoconferencing company Zoom has seen its star rise exponentially during the Covid-19 pandemic, as friends and coworkers increasingly turn to the service for a communication lifeline.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |