[Cryptography] NSA security guidelines for videoconferencing

Whitfield Diffie whitfield.diffie at gmail.com
Sat May 2 07:32:25 EDT 2020 

> The problem with 'end to end' encryption is that it isn't the same as end to end
> security and the developers may have a different definition of what an 'end' is.

    The problem is with the term `end-to-end encryption.'  All
encryption is from one end of something to another.  Link encryption
is from one end of a link to the other.  Perhaps the term we need here
is ``user-to-user encryption.''

                           Whit

On Fri, May 1, 2020 at 10:53 PM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
>
>
>
> On Sat, May 2, 2020 at 1:17 AM <jamesd at echeque.com> wrote:
>>
>> On 2020-05-02 04:55, Henry Baker wrote:
>> > FYI --
>> >
>> > https://www.hstoday.us/subject-matter-areas/cybersecurity/to-zoom-or-whatsapp-nsa-lays-out-security-details-of-videoconferencing-services-for-teleworkers/
>> >
>> > To Zoom or WhatsApp?
>> >
>> > NSA Lays Out Security Details of Videoconferencing Services for
>> > Teleworkers
>>
>> I notice that Skype is listed as end to end encrypted, though it is
>> apparent that every skype interaction is scanned for content.
>>
>> Skype suffers undue delays, because packets are not sent end to end, but
>> through a center or small number of centers, which became grossly
>> overloaded when large numbers of people started to work at home.
>>
>> According to
>> https://www.comparitech.com/blog/information-security/is-skype-safe-and-secure-what-are-the-alternatives/
>>
>>         Skype doesn’t use end-to-end encryption at all. That means every
>> message, call, and file can be viewed by Microsoft.
>>
>>         Voice, video, text, and files sent between Skype users are encrypted,
>> but only between your device and Microsoft’s servers. That data is
>> decrypted once it reaches the server, allowing Microsoft to snoop if it
>> so pleases.
>>
>> I therefore, knowing Skype to be insecure, did not bother scanning the
>> rest of their recommendations.
>
>
> I went into this issue when I did a youtube segment on security of Zoom.
>
> https://www.youtube.com/watch?v=tTAprR-bDrE
>
> The problem with 'end to end' encryption is that it isn't the same as end to end security and the developers may have a different definition of what an 'end' is.
>
> Have spent way too long explaining to folk that no, their data center is not an end as far as end to end security is concerned.
>
> I don't see why  folk are beating up Zoom and blithely using dropbox and slack. Well I do, but...
>
> If you want end to end you need to do the whole job. Not just point solutions. But right now, anyone proposing anything of that sort is called over ambitious.
>
> The NSA report really only contains one important piece of information: They are aware of the security issues and are going to learn the parties concerned to fix them.
>
> Or point them to people who can.
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list