"We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China."
Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings - The Citizen Lab
@darrenpmeyer
It is still a poor implementation, however you want to classify it. Telegram for video chat. 🤮
@ScottMortimer Yes, but accuracy in reporting matters. If they rolled their own, that's a "what the fuck are you even doing" level of bad. This is "well… depends on your threat model, but probably don't use it if you need more than casual privacy" bad.
@darrenpmeyer
And some more information on their implementation: https://www.cs.columbia.edu/~smb/blog/2020-04/2020-04-04.html
@ScottMortimer Why would it be any more of concern to have keys piped through China than any of the 14 Eyes nations?
@slightlyflightyone @ScottMortimer China is slightly more concerning due to the policies you have to agree to in order to operate a business of any kind there; if the government tells you they're assigning an oversight agent you have to allow them access to stuff, broadly construed.
In this particular case, it looks like an oversight - the increase in load meant American traffic "spilled over" into China, instead of erroring out.
The fix is to segment off your Chinese operations.
@riking @ScottMortimer this is literally the same as operating in the U.S. tho
That's completely a false dichotomy. No matter how much you dislike the 14 Eyes nation's, they operate very differently than the PRC.
Good god, this is even worse than expected. Absolutely furious that my province made a deal to use and promote zoom. I'm about to ban it in my house. Maybe should have done so previously.
I'm already aware of one security breach in our district - my 10 year old son was accused of breaking in to a conference going on with another school's teacher.
Super appreciate the work being done by places like the citizen lab
@ScottMortimer Yeah, Zoom is sucking out loud fersure, but I'm getting more than a little sick of the "blame China" chorus.
Like the USA is pure as the goddamn driven snow.
@ScottMortimer Extra funny, because when I attended Information Security 101, the very first point was literally: "DO NOT ROLL YOUR OWN ENCRYPTION".
@ScottMortimer -- I wonder whether this may be related: I recently attempted to install the ZOOM Client on a system running openSUSE Leap 15.1 with the downloaded package from ZOOM (rpm type package). YAST reported "The package is broken", and "Package failed integrity test".
@ScottMortimer they use an insecure mode and poor generation and management practices. They didn't "roll their own", though: they're using standard things, just badly