Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

by Dan Moren

Zoom buys Keybase to shore up security

Zoom CEO Eric Yuan, writing on the company’s blog:

Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.

Sunshine, as they say, is the best disinfectant, and the attention put on Zoom’s security and privacy woes seems to be having the desired result: the company already upped its encryption to 256-bit AES-GCM with the Zoom 5.0 update it recently released. The Keybase acquisition is poised to let it offer true end-to-end encryption as well.

There are, as Yuan points out, drawbacks to implementing that end-to-end encryption, which will be an option for paid accounts, but not mandatory. Namely, certain features won’t be compatible, such as phone bridges and cloud recording (because Zoom can’t decrypt the content). A draft of the cryptographic design will be published on May 22.

Yuan also spells out the company’s ideals in the post, including that it hasn’t and will not build a way to decrypt live meetings for law enforcement, and employees cannot invisibly snoop on meetings.

Even the recent dings to its security and privacy don’t seem to have dented Zoom’s popularity. And, to its credit, the company has moved quickly to fix the problems that have been brought to light–which is exactly what should happen. This does indeed seem to have been a case where expediency trumped the way these features should have been rolling out–here’s hoping this measured response means that the company will think harder about choices it makes in the future.

—Linked by Dan Moren

Search Six Colors