Zoom is finally getting this huge upgrade — what you need to know [Update]

Zoom is finally getting this huge upgrade — what you need to know [Update]

The entire document has been updated with comments and explanations from Zoom

Zoom has decided to let conference participants use end-to-end encryption on a trial basis

"Starting next week, Zoom's end-to-end encryption (E2EE) will be available as a technology preview This means that we will actively solicit feedback from users during the first 30 days," Max Krohn, Zoom's head of security engineering, said in a blog post yesterday (October 14)

"Zoom users worldwide (free and paid) will be able to host up to 200 participants in E2EE meetings on Zoom, improving the privacy and security of Zoom sessions

This is all great, but like many things with Zoom, the devil is in the details First of all, it is not yet clear how to even enable this

Zoom's "E2EE" is not turned on by default, Krohn explains

"Customers will need to enable E2EE meetings at the account level," he said, and the blog post includes a screenshot of what appears to be a Zoom desktop client configuration screen

A fully updated version of the Windows desktop client could find no such setting, and attempts to adjust profile settings sent me to Zoom's website, but again I came up empty

"It will be available next week," a Zoom spokesperson told Tom's Guide when asked 'It will be incredibly easy to enable on the web dashboard and when scheduling meetings and attending meetings'

Even after E2EE is enabled, you still need to "opt-in to E2EE on a per-meeting basis"

As Krohn noted, "Enabling E2EE for this version of Zoom in a meeting allows you to join before hosting, cloud recording, streaming, live transcription, Breakout Rooms, voting, 1:1 private chat, conference reactions, and certain other features are disabled"

because

Although he does not mention it, he cannot imagine that someone would be allowed to join an E2EE meeting if they were calling from a phone line It might also be problematic to join from Zoom's web browser interface rather than from Zoom's desktop or mobile client software

A Zoom spokesperson confirmed both of these points

"Zoom's end-to-end encryption does not support dialing in through a traditional phone line or browser," a spokesperson told Tom's Guide

"It is difficult to prove that a meeting is truly encrypted end-to-end through a browser

"Individual Zoom users will want to consider whether they need these options before enabling end-to-end encryption in their meetings," the spokesperson added

On a more technical note, it is odd that Mr Krohn uses the abbreviation "E2EE" to refer to end-to-end encryption when the rest of the computer industry uses the more common "E2E"

This makes one wonder if Zoom is again fudging the definition of "end-to-end," as it has claimed for years that encrypted data between client and server counts as "end-to-end"

Indeed it does End-to-end encryption means that only two devices on either end of the communication can read the message Intermediate parties such as network servers, device manufacturers, and service providers should not be able to read the message

"This is real," a Zoom spokesperson told Tom's Guide, pointing us to a GitHub page documenting the progress of Zoom's encrypted implementation

"We use 'E2E' to mean 'end to end' and 'E2EE' to mean 'end-to-end encryption' (the three E's)," the spokesperson added

In Zoom's previous "end-to-end" implementation, Zoom's servers could decrypt all meetings, which meant that Zoom itself could access everything that was said in these meetings

While birthday parties and school classes are fine, government and corporate clients may want to protect their data from a company that operates on a large scale in China and is founded and led by Chinese nationals

"Zoom is an American company publicly traded on NASDAQ, its founder and CEO is an American citizen, and its headquarters are in San Jose, California," a spokesperson noted

To remedy this embarrassing situation, Zoom acquired an encryption provider called Keybase in May

Krohn's blog post does not clarify the situation, as he uses two supposedly contradictory explanations for how Zoom's "E2EE" works

"The E2EE provided by Zoom uses public key cryptography," he states in his FAQ That is, the [encryption] key for each Zoom meeting is generated by the participant's machine, not by Zoom's server"

That's right That's how end-to-end encryption works So far, so good (Public key cryptography does not create the actual encryption key, but is a secure way to send that key to other participants)

However, earlier in the same post, Krohn states, "In Zoom's E2EE, the meeting host generates the encryption key and distributes that key to other meeting participants using public key cryptography"

This doesn't make much sense Who exactly is generating the encryption keys? Is it the host of the meeting or the machines of the other participants?

"It's the host's machine," a Zoom spokesperson answered our question

Exactly what kind of encryption keys do the conference participants get from the host? Is there a separate encryption key for communications between the conference host and each participant, or do all conference participants share the same encryption key? If hundreds of conference participants share the same encryption key, does that really count as end-to-end encryption?

"All participants share the same conference key, but they use different public/private key pairs to communicate that conference key," a Zoom spokesperson told us after this article was first published

Categories