[Cryptography] "Zoom's end-to-end encryption isn't

Henry Baker hbaker1 at pipeline.com
Thu Apr 2 23:07:41 EDT 2020

At 04:56 PM 4/2/2020, Peter Fairbrother wrote:
>actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f..."
>not end-to-end despite explicit claim
>mines all your data
>sends data to facebook
>big login hole
>host can detect if watchers present
>all your base are belong to us
>Peter Fairbrother

Yes, I saw this & other articles re Zoom security/privacy issues.

So I was thinking, how secure/private could a multiple-party
Zoom conference possibly be?

So let's do end2end encryption on every video/audio feed.

But we probably need 2 video feeds for each participant: one hi-rez,
good enough for a full screen and 1 lo-rez, good enough for the
smaller videos.

And then there's Zoom's ability to replace the background; clearly
that will have to be done at the source, prior to encryption; it
can't be done at the server end.

So let's assume that the server only sees encrypted audio & video

The server still knows who each of the participants is: it knows
their IP addresses & verified email addresses.

The compositing must now be performed by the end users, who now
receive *all* of the feeds, but they indicate whether they want
the hirez or lorez video feeds depending upon who is *talking*. 
(The decision about who is talking must be a decision by perhaps
the host machine, which can "see" all of the client machine's
video/audio feeds.

So yes, it should be possible for Zoom to run a conference w/o
being ableto hear or see any of the participants; however, it will
know who the participants are, and when & how often they grab the
"floor" and start to speak.

So there's a lot of information leaking into the "metadata" channel
of Zoom itself.

Are there any better ways to hold a group conference?

More information about the cryptography mailing list