"We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China."

Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings - The Citizen Lab

@ScottMortimer they use an insecure mode and poor generation and management practices. They didn't "roll their own", though: they're using standard things, just badly

It is still a poor implementation, however you want to classify it. Telegram for video chat. 🤮

@ScottMortimer Yes, but accuracy in reporting matters. If they rolled their own, that's a "what the fuck are you even doing" level of bad. This is "well… depends on your threat model, but probably don't use it if you need more than casual privacy" bad.

Good god, this is even worse than expected. Absolutely furious that my province made a deal to use and promote zoom. I'm about to ban it in my house. Maybe should have done so previously.

I'm already aware of one security breach in our district - my 10 year old son was accused of breaking in to a conference going on with another school's teacher.

Super appreciate the work being done by places like the citizen lab
@ScottMortimer I read a report this morning about a teacher holding an online class of kids on Zoom when a man entered the zoom class and exposed the children to his genitals live. No one should allow child use of zoom at all.

@ScottMortimer Yeah, Zoom is sucking out loud fersure, but I'm getting more than a little sick of the "blame China" chorus.

Like the USA is pure as the goddamn driven snow.

@ScottMortimer Extra funny, because when I attended Information Security 101, the very first point was literally: "DO NOT ROLL YOUR OWN ENCRYPTION".

@ScottMortimer -- I wonder whether this may be related: I recently attempted to install the ZOOM Client on a system running openSUSE Leap 15.1 with the downloaded package from ZOOM (rpm type package). YAST reported "The package is broken", and "Package failed integrity test".

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.