"We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China."
Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings - The Citizen Lab
@ScottMortimer they use an insecure mode and poor generation and management practices. They didn't "roll their own", though: they're using standard things, just badly
It is still a poor implementation, however you want to classify it. Telegram for video chat. 🤮
@ScottMortimer Yes, but accuracy in reporting matters. If they rolled their own, that's a "what the fuck are you even doing" level of bad. This is "well… depends on your threat model, but probably don't use it if you need more than casual privacy" bad.
And some more information on their implementation: https://www.cs.columbia.edu/~smb/blog/2020-04/2020-04-04.html
@ScottMortimer Yeah, Zoom is sucking out loud fersure, but I'm getting more than a little sick of the "blame China" chorus.
Like the USA is pure as the goddamn driven snow.
@ScottMortimer Extra funny, because when I attended Information Security 101, the very first point was literally: "DO NOT ROLL YOUR OWN ENCRYPTION".
@ScottMortimer -- I wonder whether this may be related: I recently attempted to install the ZOOM Client on a system running openSUSE Leap 15.1 with the downloaded package from ZOOM (rpm type package). YAST reported "The package is broken", and "Package failed integrity test".
A Mastodon instance for info/cyber security-minded people.