Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
China Security IT Technology

Zoom's Encryption Is 'Not Suited for Secrets' and Has Surprising Links To China, Researchers Discover (theintercept.com) 61

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. From a report: The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab -- widely followed in information security circles -- that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.
This discussion has been archived. No new comments can be posted.

Zoom's Encryption Is 'Not Suited for Secrets' and Has Surprising Links To China, Researchers Discover

Comments Filter:
    • by fermion ( 181285 )
      Zoom provides value to people, and the security issues are obvious to any minimally knowledgeable person. They are going to have features that generate profits, and those features are going to prioritize Zoom and paying customers, not the end user. Even the paying end user is not going to be a priority, as that is not the business model. Obviously no real business should use Zoom, any more than they would use so,ec random person on the street to handle a confidential letter, there are situations where Zoom
      • by kqs ( 1038910 )

        "Zoom isn't great, but I'm sure they're okay. Now let me complain about a totally different company!!!"

        Zoom lied. They lied about their encryption, about selling your information, and lots of other things. This is not something that "any minimally knowledgeable person" can figure out.

        I sometimes use telnet to debug things. That's fine; I understand the risks. But if I use ssh I don't expect those same risks, so an ssh which disables all encryption would be a problem.

  • Zoom China (Score:2, Troll)

    by darkain ( 749283 )

    Zoom has an offering in China. This requires them to have local staff to support it.

    Guess what? AWS has two regions in China. How much shit do you use on a daily basis that connects to AWS? Do you just assume then that EVERYTHING you do online interacting with AWS also has "ties to China" !?

    WELL CRAP, there goes 75% of the internet you're allowed to use. Please log off now.

  • No worries... (Score:5, Insightful)

    by SirAstral ( 1349985 ) on Friday April 03, 2020 @11:55AM (#59904944)

    China can infect the entire planet with a virus and no one will do anything to them for it...

    I wonder if our species has become basically one giant Stockholm experiment. Everyone and every government has failed... and not just in some small way. Catastrophic failure from all governments. Only Australia had the brass to do the right thing. With WHO becoming a parrot for China, China actively suppressing information and especially their involvement.

    If the world does not sink China for this, China will know how far it can go with things... and it can already go too far. As things go, China has no problem letting its citizens die to make sure its economy stays healthy, spread misinformation, control information, murder/imprison dissenters, and when China has all that cash to flash against all the money starving nations that have murdered their economies in knee jerk response... well we will see how things shake out... won't we?

    • by Anonymous Coward

      As things go, China has no problem letting its citizens die to make sure its economy stays healthy,

      Which is why they shutdown their economy so quickly trying to save all those people....
      WindBourne logic much?

      • Been reading main stream media lately? They are still having outbreaks. But then, they are not releasing that information. Quit being an asshole, and read everything. Just don't let your hatred get in the way of recognizing truths you don't want to hear.
        • "Just don't let your hatred get in the way of recognizing truths you don't want to hear."

          Yea, I am afraid even in the fact of worldwide death and economic disaster people will not avoid doing this.

          Too many people would rather be dead & wrong than to admit they made a mistake or have a bias.

  • Shorts gotta short I know, but the flood of stupid anti-Zoom articles is just getting old.

    Zoom works well for many, many people so you ain't gonna be able to derail this train.

    • Everyone look at the ZOOM stockholder! Trying to keep their investment afloat.
      • I've never owned Zoom stock. But given the record of success TSLA shorts had, I'm pretty sure I plan to buy some Zoom stock shortly. (ha!).

        I just think maybe Slashdot has gone a teeny-tiny bit overboard on the bombastic Zoom hate articles, with eye-rollingingly misleading data about Zoom.

        So sorry for your loss (and losses to come) Mr. Short!

        • p>I just think maybe Slashdot has gone a teeny-tiny bit overboard on the bombastic Zoom hate articles, with eye-rollingingly misleading data about Zoom.

          Slashdot isn't writing the Zoom hate articles though. It's merely pointing them out.

          If Slashdot stopped pointing them out, that isn't going to stop people from writing about all the lax privacy/security problems with Zoom's product.

    • Kind of. But even my son's band instructor is switching them off zoom, both because of security issues and quality issues. I'm not sure there's anything super secret they're worried about, it's just not working very well. I think Zoom may be Boom.

      • Even my son's band instructor is switching them off zoom, both because of security issues and quality issues.

        I see, and what is the band talking about that needs to be secure?

        I wish him luck but the reason out company has been using Zoom for a year and a half now is the other systems were worse. I think Zoom's popularity might be affecting service to some degree but mostly it's still been working well for us.

        I guess if you don't need more advanced tools like screen sharing other systems might be OK, but I

    • What is this, like the 3rd or 4th article about Zoom? I mean, I don't use it. We don't use it where I work. And most of the postings here I have read, most of us do not use it either. I mean, it's one thing to be informed so that we can share the information with friends that might be using it. But, isn't this becoming over kill?

      Lol, because I am on a number of shit list's here right now. What I was trying to convey to you is that I agree with you.
    • by Hawke ( 1719 )
      Most of the issues raised so far are exactly in line with your view... largely non-issues being hyped because you can get press now that you're targetting today's cool thing.

      The "encryption keys came from servers in China" one ... is more serious.

      (the "poor use of encryption" one is ... back to fear mongering. Everything that deals with connections that can drop will have to use block an EBC-like mode with similar issues. Otherwise a lossed frame loses much more.)

    • by guruevi ( 827432 )

      Also, most of these stories talk about the free version of Zoom. There is a paid version of Zoom that has contractual agreements to do end-to-end encryption with your own key/passcode management in North America, without Chinese datacenter involvement.

      You're basically blaming the car manufacturer for not giving you the car when you just took a test drive.

  • Any time someone thinks they can do encryption themselves.. they can't .. not even close

    And with well proven OSS encryption available why on earth would anyone even bother trying? seriously?

    • by znrt ( 2424692 )

      Any time someone thinks they can do encryption themselves.. they can't .. not even close

      And with well proven OSS encryption available why on earth would anyone even bother trying? seriously?

      neither tfa nor the reference it references really prove they do encryption themselves. it seems more like a bad implementation of proven protocols and overall a weak design. that's far from "rolling their own crypto", that's actually the case with most vulnerabilities. granted, the design is weak, just as weak as much of the conclusion (the research seems proper, though, just someone felt the urge to drum it up).

    • Hmm, you trust OSS encryption? I have a bridge to sell you.
  • I imagine they were instructed to do so. Anyone know of other high value industries where companies have ceased using it?
    • by JeffSh ( 71237 )

      i work for a fedgov contractor and we've issued organization directives to not use zoom, but that's of our own doing, we've received no instructions to do so.

  • "a home-grown encryption scheme"

    They're using ROT-14. It's one better than ROT-13!
  • As I am forced to use it through my work, I never really got why Zoom is so hyped. Despite being around for a while, only recently it has been the preferred go to solutions for online meeting. There is nothing inherently better than other platforms, and yet: despite having a poor track record, being a company with no reputation whatsoever in secure practices, ethically robust software development, companies embracing it with no deep thinking. This includes my employer, who jumped on it on two feet to soon h
    • As I am forced to use it through my work, I never really got why Zoom is so hyped. Despite being around for a while, only recently it has been the preferred go to solutions for online meeting. There is nothing inherently better than other platforms, and yet: despite having a poor track record, being a company with no reputation whatsoever in secure practices, ethically robust software development, companies embracing it with no deep thinking. This includes my employer, who jumped on it on two feet to soon have to put up security measures to contain potential risks. My question is: there are lots of other solutions that have been vetted more, and yet... When possible I prefer to use Meet, not because it's better (although the automated caption makes is fantastic), but because I "trust" Google more than I trust Zoom. And that should tell you something about the reputation of Zoom.

      Where Zoom works better than a lot of other offerings is when you are Video Conferencing with more than 5 people. Some of our team meetings have 15+ people, all with video. Most other solutions get bogged down and you start seeing a lot of dropped frames. If you typically have videoconference meetings with 5 or less people, then other solutions may be a better fit.

      But, yes, Zoom obviously needs to work on the product security.

    • by jythie ( 914043 )
      I think Zoom's main selling point is large numbers of people already using it. People suggest the thing they have had suggested to them, and Zoom does work reasonably well.

      Though I think it is also picking up refugees from Skype, which has been getting less and less functional lately.
    • by spitzak ( 4019 )

      Zoom works much much better than Webex, and I am using both now.
      And Zoom has a real Linux client that works perfectly.

  • shocked I say (Score:5, Insightful)

    by hdyoung ( 5182939 ) on Friday April 03, 2020 @12:56PM (#59905106)
    You mean to tell me that some random teleconferencing service doesn't apply the same level of security that our military applies to its nuclear arsenal? Sir, I am shocked, shocked I say!

    More seriously, if you think that a teleconferencing service is suitable for discussing secrets, you have no business handling secrets. You, and anyone who handed you a secret, needs to be slapped. Derisively, with a back hand.
  • That word, you keep using it....

  • by Danathar ( 267989 ) on Friday April 03, 2020 @02:30PM (#59905420) Journal
    I really wish people would do their research before writing about stuff. The FEDRAMP version of Zoom for Government requires all infrastructure be located in approved DHS data centers. That INCLUDES THE KEY SERVERS. The story does not even mention this.
  • I took a NSA sponsored encryption course in 1990. 30 years ago. Think you have a really good encryption scheme? Often those methods are used for home work they're so trivial to break. It's very likely so is this. Just use AES. That's what it's there for. It's free.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...