[Cryptography] "Zoom's end-to-end encryption isn't
Ángel
angel at crypto.16bits.net
Fri Apr 3 21:30:51 EDT 2020
On 2020-04-03 at 00:56 +0100, Peter Fairbrother wrote:
> actually end-to-end at all. Good thing the PM isn't using it for Cabinet
> calls. Oh, for f..."
>
> https://www.theregister.co.uk/2020/04/01/zoom_spotlight/
>
> tldr:
>
> not end-to-end despite explicit claim
> mines all your data
> tracker-friendly
> sends data to facebook
> big login hole
> host can detect if watchers present
> all your base are belong to us
>
>
> Peter Fairbrother
Well, today you have an even bigger piece of Zoom news. Citizen Lab
found:
- an undisclosed security issue with Zoom’s Waiting Room feature that
they are waiting for Zoom to fix before publishing
- that all the participants use the same encryption key, which is
provided by a server located in China¹
- which is then used to encrypt the video and audio using -hold tight-
AES in ECB mode.
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/
¹ It is possible that it is *sometimes* generated by servers in the US.
They only found that the key securing a US-Canada conference was
provided by a Chinese server, not how often those were used.
More information about the cryptography
mailing list