Calling it a disaster.. I find the security community a bit tough against Zoom.
They traded a bit of security in favor of useability? Fair enough.
They failed to recognise AES-EDC can be attacked by very motivated cryptanalysts? Alright.
They gathered a little bit more data than they claim they did? Well, who is not doing that?
I think they proved they can be agile. They fixed a bunch of sec issues in few days, while growing their user base like 30x, in a shutdown period!
How many companies would be able to do that?
I am sure they will work in fixing all of those quickly.
E2EE will take a bit of time. Right. In the meantime, Zoom is working pretty darn well for talking with 10+ family and friends while everybody is contained. Do we need E2EE for that? probably not, but that is my choice.
This is a great summary of the ongoing issues, it however does miss a few things. Including a security vulnerability in their lobby feature that has privately been reported to Zoom by CitizenLab the other day - and which still needs fixing.
The crypto part is really bad, because it seems potentially malicious even.
Has anyone done crypto analysis on the pwd= query parameter? Knowing their security skills I'm wondering if that is crackable...
Zoom has been around for a while. IMHO, their sloppiness and privacy issues is typical of their class of corporate software. Having used them plenty, this does not surprise me one bit. If yoi told me the same about lync ("Skype for business") I would not be surprised one bit either.
Just one last thing: The UNC thing..yeah lots of apps habe that issue and it is an issue only if you have a home pc and disable windows firewall or if you are an enterprise user and your network does not block outbound SMB (in which case you have a whole host of problems). Pretty sure Skype and other clients(including irc,jabber,etc...) Do it, it actually makes a lot of sense when talking about corporate meetings, I believe it's windows that sends your creds to the attacker, the client just makes it clickable.
What are some good alternatives to Zoom that are actually true end-to-end encrypted? I know of one: https://www.crypho.com/ and Crypho is offering free audio and video conferencing for the next 3 months due to Coronavirus demand.
what about open-source Jitsi hosted on own servers? sounds like much more secure and controllable option. i used it just several times for group calls, so cannot say how full the functionality list is but so far rather good alternative to Zoom.
11 comments
[ 2.6 ms ] story [ 22.9 ms ] threadThey traded a bit of security in favor of useability? Fair enough. They failed to recognise AES-EDC can be attacked by very motivated cryptanalysts? Alright.
They gathered a little bit more data than they claim they did? Well, who is not doing that?
I think they proved they can be agile. They fixed a bunch of sec issues in few days, while growing their user base like 30x, in a shutdown period! How many companies would be able to do that?
I am sure they will work in fixing all of those quickly. E2EE will take a bit of time. Right. In the meantime, Zoom is working pretty darn well for talking with 10+ family and friends while everybody is contained. Do we need E2EE for that? probably not, but that is my choice.
No, that's not "fair enough".
> They failed to recognise AES-EDC can be attacked by very motivated cryptanalysts? Alright.
No "motivated cryptanalysts" have put time into looking at yet.
> They gathered a little bit more data than they claim they did? Well, who is not doing that?
People who care about your privacy?
> I think they proved they can be agile.
They proved they could fix things that they lied or were clearly shady as soon as the media got wind of it?
> Do we need E2EE for that? probably not, but that is my choice.
It is your choice, but you have the right to make an informed choice. Zoom lied and prevented people from doing this.
See what I mean?
The crypto part is really bad, because it seems potentially malicious even.
Has anyone done crypto analysis on the pwd= query parameter? Knowing their security skills I'm wondering if that is crackable...
Just one last thing: The UNC thing..yeah lots of apps habe that issue and it is an issue only if you have a home pc and disable windows firewall or if you are an enterprise user and your network does not block outbound SMB (in which case you have a whole host of problems). Pretty sure Skype and other clients(including irc,jabber,etc...) Do it, it actually makes a lot of sense when talking about corporate meetings, I believe it's windows that sends your creds to the attacker, the client just makes it clickable.