[Cryptography] NSA security guidelines for videoconferencing
John Gilmore
gnu at toad.com
Mon May 4 06:06:39 EDT 2020
Whitfield Diffie <whitfield.diffie at gmail.com> wrote:
BW> Unless the algorithm is rot0 or the user is a savant, some software
BW> is being trusted. And I doubt that even a savant could handle video
BW> encryption at frame rate.
>
> This is a different sort of objection and surprises me. It is a
> factual question; does somebody have the facts?
There's a pretty good reverse-engineering of the Zoom Web client here,
by some people who specialize in doing streaming-video-over-internet
(webrtc) in browsers:
https://webrtchacks.com/zoom-avoids-using-webrtc/
The same site has other articles analyzing various other video
conferencing methods. Here's one:
"Does your video call have End-to-End Encryption? Probably not..."
https://webrtchacks.com/you-dont-have-end-to-end-encryption-e2ee/
Here is a quick demo from three weeks ago of how they used a new
Insertable Streams javascript API in a beta Chrome version to prototype
true end-to-end encryption for the free software Jitsi web application.
(Spoiler: they superencrypt the actual video stream, since the raw
stream is getting sent over TLS, and TLS is negotiating keys with an
endpoint at a media relay service, not at the other user. They are
still working out all the details of key agreement -- anybody want to
help?):
https://webrtchacks.com/true-end-to-end-encryption-with-webrtc-insertable-streams/
John
More information about the cryptography
mailing list