Zoom is rolling out end-to-end encryption (E2EE) in July for free to all users. It’s just a shame that they claimed it was already a part of their service—and lied.
Quite sneakily, the company used its own definition of the term, “one that lets Zoom itself access unencrypted video and audio from meetings,” according to the Intercept. The encryption that Zoom previously used is TLS, the same that servers use for HTTPS. This encryption is transport-only, breaking the widely accepted meaning of the term end-to-end encryption.
But now, Zoom is promising to bring genuine E2EE to all of its users. For real this time.
Making headlines for the wrong reasons is nothing new for the videoconferencing software company. In April, they claimed to have had 300 million daily active users—a truly impressive figure, if it was real. It wasn’t. Zoom walked back that claim soon after making it, clarifying that it had that number of daily meeting participants, which is different because a single person can be counted more than once.
More concerning than fudged numbers or semantics is Zoom’s suspect security background.
Governments and school districts around the world banned members from using Zoom. Others took less drastic measures and simply warned about the software’s issues. One issue that rose dramatically was “Zoombombing,” an attack in which uninvited users gain access to and disrupt a class session or meeting. This flaw has plagued the company at least since usage of its software took off back in March.
Zoombombing was not the end of bad news, though. The company was also pressured to stop sending data analytics to Facebook after not disclosing the practice to users; they admitted to using whitelisted Chinese servers they shouldn’t have; they were sued at least four times; they had 500,000 accounts sold on the dark web; and they’ve had more serious bugs, flaws, exploits, and other vulnerabilities than we have time to talk about.
In fairness, the company has been quick to respond to complaints and security concerns, apologizing, patching, and promising to change. As part of its commitment to better security and privacy for its users, Zoom purchased Keybase, a secure messaging and file-sharing service, back in May.
And now we’re seeing the latest fruits of that labor. That promise? End-to-end encryption.
What is end-to-end encryption?
E2EE is largely considered the most private way to communicate over the internet, and it all (unsurprisingly) boils down to how and when messages are encrypted, who can decrypt (or read) it, and how it might be compromised.
In the traditional TLS encryption (Remember the one that Zoom had been using when it promised it was doing more?), messages are only encrypted in transit but not as they are stored. This means that the third party—Zoom, in this case—has access to messages between users on its platforms. It can use that access to mine and sell data for things like ad targeting. Zoom promises it doesn’t do that, saying it “has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including—but not limited to—the video, audio and chat content of those meetings.”
End-to-end encryption, on the other hand, keeps the data encrypted even as it is stored, making it so that only the intended recipient can read the message. This ‘permanent’ encryption, in theory, means that no one—not even a telecom provider, ISP, or a communications provider like Zoom—can access the secret cryptographic keys needed to read the message. This is why E2EE is considered the gold standard of private communication—and why it matters that Zoom lied about having it.
Does E2EE make Zoom any safer?
In theory, yes. It certainly is a move in the right direction for a company that has had so many privacy and security concerns.
In moving to optional E2EE, Zoom is addressing a key issue with its default encryption. While TLS (Transport Layer Security) is a widely used protocol, it remains a transit-only system. Messages are stored by the third party, making it absolutely vital that the third party is doing everything possible to protect user privacy and keep them safe from cybercriminals. Given Zoom’s shady history, it makes sense that some users may not have trusted them to store their data.
That all changes now. By providing a verifiable phone number (and potentially more information) concerned users, hosts, and admins can click a button and enable end-to-end encryption, keeping it safe from any eavesdropping. Right?
Well, yes—but again, just in theory. E2EE relies on a few other steps to keep it secure. Rather than trying to break the advanced encryption, attackers can impersonate a recipient during a key exchange, essentially tricking the sender into making their message readable by the attacker. The attacker can read the message before encrypting it for the real recipient. In this way, they can eavesdrop on conversations without being detected. That’s why these intrusions are called “man-in-the-middle” attacks.
In stopping MITM attacks, communications providers frequently utilize certificate authorities which confirm the identity of a recipient. This extra layer of authentication is important for Zoom to utilize, and we will wait to see if they have any issues with it.
Perhaps more worrisome are backdoors. These allow someone to bypass encryption, authentication, or both without anyone’s knowledge. Backdoors can be created intentionally (by a bad actor in the company, for example) or unintentionally (as with a simple oversight during development). Either way, they let someone in that’s not supposed to be there. Zoom will have to safeguard against them to keep its users’ data secure.
How do others stack up?
Google Duo, Apple’s iMessage and FaceTime, and WhatsApp all already use E2EE while Facebook promised in 2019 that it would begin working on rolling it out to its Messenger app and platform as a whole. Microsoft Teams encrypts data “in transit and at rest,” but it is unlikely that refers to anything other than standard 256-bit AES and disk encryption—that is, not end-to-end. Microsoft protects your data but still has access to it on its servers (which is logical because of the complexity and interconnectedness of all other Office 365 apps).
Again, this is surely a step in the right direction for Zoom, a company which has faced its fair share of harsh criticism. Security concerns are probably going to disproportionately follow Zoom for some time to come, but that’s what happens when you mistreat people’s data and lie about it.
If Zoom teaches you anything, it’s that your privacy and your security are not games. Sooner or later, bad things will happen if you’re not protected. The same can be said of your business.
Implementing a company-wide security strategy is a daunting challenge and one you might not feel comfortable taking on alone. That’s where the security experts come in. Led by our CISSP-certified CEO, we stand ready to take any and all of your tech concerns and deliver solutions to you that work. Lets us explain how. You can reach us here or by phone at (508) 453-4700.