[Cryptography] NSA security guidelines for videoconferencing
whitfield.diffie at gmail.com
Sat May 2 07:32:25 EDT 2020
> The problem with 'end to end' encryption is that it isn't the same as end to end
> security and the developers may have a different definition of what an 'end' is.
The problem is with the term `end-to-end encryption.' All
encryption is from one end of something to another. Link encryption
is from one end of a link to the other. Perhaps the term we need here
is ``user-to-user encryption.''
On Fri, May 1, 2020 at 10:53 PM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> On Sat, May 2, 2020 at 1:17 AM <jamesd at echeque.com> wrote:
>> On 2020-05-02 04:55, Henry Baker wrote:
>> > FYI --
>> > https://www.hstoday.us/subject-matter-areas/cybersecurity/to-zoom-or-whatsapp-nsa-lays-out-security-details-of-videoconferencing-services-for-teleworkers/
>> > To Zoom or WhatsApp?
>> > NSA Lays Out Security Details of Videoconferencing Services for
>> > Teleworkers
>> I notice that Skype is listed as end to end encrypted, though it is
>> apparent that every skype interaction is scanned for content.
>> Skype suffers undue delays, because packets are not sent end to end, but
>> through a center or small number of centers, which became grossly
>> overloaded when large numbers of people started to work at home.
>> According to
>> Skype doesn’t use end-to-end encryption at all. That means every
>> message, call, and file can be viewed by Microsoft.
>> Voice, video, text, and files sent between Skype users are encrypted,
>> but only between your device and Microsoft’s servers. That data is
>> decrypted once it reaches the server, allowing Microsoft to snoop if it
>> so pleases.
>> I therefore, knowing Skype to be insecure, did not bother scanning the
>> rest of their recommendations.
> I went into this issue when I did a youtube segment on security of Zoom.
> The problem with 'end to end' encryption is that it isn't the same as end to end security and the developers may have a different definition of what an 'end' is.
> Have spent way too long explaining to folk that no, their data center is not an end as far as end to end security is concerned.
> I don't see why folk are beating up Zoom and blithely using dropbox and slack. Well I do, but...
> If you want end to end you need to do the whole job. Not just point solutions. But right now, anyone proposing anything of that sort is called over ambitious.
> The NSA report really only contains one important piece of information: They are aware of the security issues and are going to learn the parties concerned to fix them.
> Or point them to people who can.
> The cryptography mailing list
> cryptography at metzdowd.com
More information about the cryptography