[Cryptography] NSA security guidelines for videoconferencing

John Gilmore gnu at toad.com
Mon May 4 06:06:39 EDT 2020

Whitfield Diffie <whitfield.diffie at gmail.com> wrote:
BW> Unless the algorithm is rot0 or the user is a savant, some software
BW> is being trusted. And I doubt that even a savant could handle video
BW> encryption at frame rate.
>     This is a different sort of objection and surprises me.  It is a
>     factual question; does somebody have the facts?

There's a pretty good reverse-engineering of the Zoom Web client here,
by some people who specialize in doing streaming-video-over-internet
(webrtc) in browsers:


The same site has other articles analyzing various other video
conferencing methods.  Here's one:

  "Does your video call have End-to-End Encryption?  Probably not..."
Here is a quick demo from three weeks ago of how they used a new
Insertable Streams javascript API in a beta Chrome version to prototype
true end-to-end encryption for the free software Jitsi web application.
(Spoiler: they superencrypt the actual video stream, since the raw
stream is getting sent over TLS, and TLS is negotiating keys with an
endpoint at a media relay service, not at the other user.  They are
still working out all the details of key agreement -- anybody want to



More information about the cryptography mailing list