Zoom Video Calls Are Not End-to-End Encrypted, Contrary to Its Public Claims ⇥ theintercept.com
Micah Lee and Yael Grauer, the Intercept:
In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.
But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
[…]
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking between these machines.
Dan Moren, Six Colors:
In and of itself, this situation is raising a lot of questions, but what’s worse is that it’s part of a clear pattern with Zoom. Just this past week, the company’s iOS app was discovered to be sending information to Facebook without disclosing that in its privacy policy. Others have pointed out that its macOS installer also seems to have some shady behavior. And, of course, last year the company was found to be installing a secret local web server to bypass an Apple security restriction.
Lacking end-to-end encryption for video chat is not uncommon. What is unique to Zoom is that they’re lying about it in marketing materials by redefining “end-to-end encryption” to fit their needs.
Stuff like this — and the installer that runs on the preflight step instead of the correct installation step — are things that are so easy to get right. Zoom’s repeated failures would ordinarily only seem sloppy, but the web server that it installed last year created a massive security vulnerability which the company did not address for months. Zoom’s problems point to an entirely avoidable reckless culture.
Update: Oded Gal of Zoom:
In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. This blog is intended to rectify that discrepancy and clarify exactly how we encrypt the content that moves across our network.
Zoom continues to market its product as having “end-to-end encryption for all meetings”, which simply isn’t true.