[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Christian Huitema huitema at huitema.net
Thu Jun 4 16:32:47 EDT 2020

On 6/3/2020 9:22 PM, John Gilmore wrote:
> John Young <jya at pipeline.com> wrote:
>> In response to these critiques, isn't it wise to suspect/avoid any 
>> comsec/infosec which is widely touted, used and promoted ... ?
> That sounds like the club that was so crowded that nobody goes there anymore.


> I *have* been advised by someone who ought to know better, that merely
> moving off the most popular two or three platforms vastly reduces the
> likelihood of penetration.  Like, don't use a Microsoft or Apple OS.
> But: you have to think about who might want to attack and what their
> goals are.  If breaking into servers is what matters to one of your top
> adversaries, then Linux is likely the first platform attacked; if
> smartphones, Android; etc.

That sounds like a two-edged sword. On one hand, widely used platforms
do attract a wide cast of attackers. But on the other hand, most widely
used platforms are also actively maintained and regularly updated to fix
newly discovered attacks. Using something obscure will protect against
mass-produced attacks such as phishing campaigns, but might be very
vulnerable to targeted attacks.

Yet I think there is something to that argument, because widely used
applications are often most vulnerable to nation-state compromises due
to their business model. Take the example of Skype. The early versions
of Skype were designed for end-to-end security, and law enforcement
agencies in many countries were not happy. As Skype became widely used,
it migrated from being managed by a small crew to being managed as part
of a big business. It then became much more vulnerable to pressure, and
had to find creative ways to satisfy the requests of at least some law
enforcement agencies. After Microsoft bought Skype they centralized the
handling of the call set-up, and the centralized handling made it much
easier to satisfy law enforcement requests. We are seeing the same
process happening with Zoom.

At app that just serves a small niche of users might escape these
pressures -- until of course it becomes popular enough and noticed...

-- Christian Huitema

More information about the cryptography mailing list