"We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China."
Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings - The Citizen Lab
@ScottMortimer they use an insecure mode and poor generation and management practices. They didn't "roll their own", though: they're using standard things, just badly
It is still a poor implementation, however you want to classify it. Telegram for video chat. 🤮
@ScottMortimer Yes, but accuracy in reporting matters. If they rolled their own, that's a "what the fuck are you even doing" level of bad. This is "well… depends on your threat model, but probably don't use it if you need more than casual privacy" bad.
And some more information on their implementation: https://www.cs.columbia.edu/~smb/blog/2020-04/2020-04-04.html
@ScottMortimer Oh my. This picture from the same article... 😩
@ScottMortimer Why would it be any more of concern to have keys piped through China than any of the 14 Eyes nations?
@slightlyflightyone @ScottMortimer China is slightly more concerning due to the policies you have to agree to in order to operate a business of any kind there; if the government tells you they're assigning an oversight agent you have to allow them access to stuff, broadly construed.
In this particular case, it looks like an oversight - the increase in load meant American traffic "spilled over" into China, instead of erroring out.
The fix is to segment off your Chinese operations.
@ScottMortimer Yeah, Zoom is sucking out loud fersure, but I'm getting more than a little sick of the "blame China" chorus.
Like the USA is pure as the goddamn driven snow.
@ScottMortimer Extra funny, because when I attended Information Security 101, the very first point was literally: "DO NOT ROLL YOUR OWN ENCRYPTION".
@ScottMortimer -- I wonder whether this may be related: I recently attempted to install the ZOOM Client on a system running openSUSE Leap 15.1 with the downloaded package from ZOOM (rpm type package). YAST reported "The package is broken", and "Package failed integrity test".
A Mastodon instance for info/cyber security-minded people.