Zoom, is a video conferencing service whose use exploded amid the Covid-19 pandemic, claims to implement end-to-end encryption, a protocol widely known as the most private form of communication on the Internet as it protects conversations from all outside parties.
With millions of people around the world working from home to stop the spread of the coronavirus, business is booming for Zoom, that has drawn attention to the company and its privacy practices.
However, Zoom offers reliability, ease of use and at least one very important security guarantee: as long as you make sure everyone in a Zoom meeting connects using "computer audio" to make a call from a phone, the meeting is secure with end-to-end encryption, at least according to that is what the Zoom website and its whitepaper on security and the app's user interface show off.
But despite this misleading marketing, the service does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead, it offers what is generally called transport encryption.
In the Zoom whitepaper, there is a list of "Pre-meeting security features" available to the meeting organizer starting with "enable an end-to-end (E2E) encrypted meeting."
Later in the whitepaper it says «Secure a meeting with E2E encryption"As a" meeting security capability "available to the meeting hosts. When a host starts a meeting with the option «Require encryption for third-party endpoints»Enabled, participants see a green padlock that says," Zoom uses an end-to-end encrypted connection "when hovering over it.
When various users tried to contact the company to find out if the video meetings are really encrypted from end to end, a Zoom spokesperson wrote:
E2E encryption cannot be enabled for Zoom video conferencing. Zoomed video meetings use a combination of TCP and UDP. TCP connections are established using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection ”.
The encryption used by Zoom to protect meetings is TLS, lthe same technology used by web servers to protect HTTPS websites. This means that the connection between the Zoom application running on a user's computer or phone and the Zoom server it's encrypted in the same way as the connection between a web browser and a website.
This is transport encryption, which is different from end-to-end encryption because the service Zoom itself can access unencrypted video and audio content from Zoom meetings. So when you have a Zoom meeting, the video and audio content will remain private to anyone trying to intercept the traffic, but it will not remain private to the business.
For a Zoom meeting to be end-to-end encrypted, video and audio content must be encrypted so that only meeting participants can decrypt it. The Zoom service itself could have access to the encrypted content of the meeting, but it would not have the necessary decryption keys to decrypt it (only the meeting participants would have these keys) and therefore would not have the technical ability to listen to meetings private.
“When we use the term 'end-to-end' in our other posts, it refers to the encrypted connection from the Zoom endpoint to the Zoom endpoint,” said a Zoom spokesperson, apparently referring to Zoom servers as “points final »even if they are among Zoom customers. "Content is not decrypted as it is transferred through the Zoom cloud" over the network between these machines.
Just complying with the text chat functionality seems to benefit from end-to-end encryption.
Source: https://www.consumerreports.org