Thursday, April 2, 2020

Cheap, Fast, or Secure... Pick Two

from here

So it appears that Zoom's "end-to-end" encryption only counts as end-to-end if you consider Zoom's servers themselves to be one of the ends. Specifically, according to their own blog, they have software running on their servers acting like legitimate communication endpoints so that they can send the unencrypted data to devices that don't support their end-to-end encryption. It's a backdoor dressed up as a compatibility feature. We have to take them at their word that this backdoor will never be used by misbehaving employees and that various governments will never or can never compel them to use it to reveal our communications.

They could have (and arguably should have) simply told customers they can't use the end-to-end encryption feature when participants are using devices that don't support it, but they chose to compromise the communication channel instead so that users could maintain a (now false) sense of security.