[Cryptography] NSA security guidelines for videoconferencing
Phillip Hallam-Baker
phill at hallambaker.com
Sat May 2 01:42:22 EDT 2020
On Sat, May 2, 2020 at 1:17 AM <jamesd at echeque.com> wrote:
> On 2020-05-02 04:55, Henry Baker wrote:
> > FYI --
> >
> >
> https://www.hstoday.us/subject-matter-areas/cybersecurity/to-zoom-or-whatsapp-nsa-lays-out-security-details-of-videoconferencing-services-for-teleworkers/
> >
> > To Zoom or WhatsApp?
> >
> > NSA Lays Out Security Details of Videoconferencing Services for
> > Teleworkers
>
> I notice that Skype is listed as end to end encrypted, though it is
> apparent that every skype interaction is scanned for content.
>
> Skype suffers undue delays, because packets are not sent end to end, but
> through a center or small number of centers, which became grossly
> overloaded when large numbers of people started to work at home.
>
> According to
>
> https://www.comparitech.com/blog/information-security/is-skype-safe-and-secure-what-are-the-alternatives/
>
> Skype doesn’t use end-to-end encryption at all. That means every
> message, call, and file can be viewed by Microsoft.
>
> Voice, video, text, and files sent between Skype users are
> encrypted,
> but only between your device and Microsoft’s servers. That data is
> decrypted once it reaches the server, allowing Microsoft to snoop if it
> so pleases.
>
> I therefore, knowing Skype to be insecure, did not bother scanning the
> rest of their recommendations.
>
I went into this issue when I did a youtube segment on security of Zoom.
https://www.youtube.com/watch?v=tTAprR-bDrE
The problem with 'end to end' encryption is that it isn't the same as end
to end security and the developers may have a different definition of what
an 'end' is.
Have spent way too long explaining to folk that no, their data center is
not an end as far as end to end security is concerned.
I don't see why folk are beating up Zoom and blithely using dropbox and
slack. Well I do, but...
If you want end to end you need to do the whole job. Not just point
solutions. But right now, anyone proposing anything of that sort is called
over ambitious.
The NSA report really only contains one important piece of information:
They are aware of the security issues and are going to learn the parties
concerned to fix them.
Or point them to people who can.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200502/c6cf19c7/attachment.htm>
More information about the cryptography
mailing list