More progress on Zoom's 90-day plan to tighten up end-user security
Last week, I wrote a piece about Zoom’s security and its 90-day plan to combat occurrences like Zoombombing. Zoom’s Founder and CEO, Eric Yuan, announced in April, the company would enact a 90-day plan to combat its security flaws. Two weeks after making that announcement, Zoom reached a monumental milestone on its timeline to sharpen security for its influx of new users, launching version 5.0.
Zoom recently reached another significant milestone on its 90-day quest to clean up its security for users, with the acquisition of Keybase. The team of developers designed a secure messaging and file-sharing service that relies on the company’s expertise in encryption and security and have been around since 2014.
Yuan said he wanted to turn Zoom into the most broadly-used enterprise end-to-end encryption offering. And the acquisition of Keybase could bring the company one step closer, he acknowledged in a statement:
“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants”
According to Zoom, audio and video content that travels between Zoom clients gets encrypted ‘at each sending client device.’ The company wrote in a recent blog post, “it is not decrypted until it reaches the recipients’ devices.”
The launch of Zoom 5.0 means that system-wide account enablement of AES 256-bit GCM encryption will occur May 30, 2020. Only Zoom clients on version 5.0 or later, including Zoom Rooms, can join Zoom Meetings starting that day. These encryption keys get generated by Zoom’s servers, however.
Some features widely used by Zoom clients, like support for attendees to call into a phone bridge, or the use of in-room meeting systems offered by other companies, will always require Zoom to keep some encryption keys in the cloud, Zoom said in a statement.
Yuan said Zoom will soon offer end-to-end encrypted meetings on all paid accounts. “Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees.”
Yuan added, “an ephemeral per-meeting symmetric key is to be generated by the meeting host.” This key will, in theory, get distributed between clients, enveloped with the asymmetric key pairs, and rotated. This will occur when there are “significant changes made to the list of meeting attendees.”
He continued, these cryptographic secrets will remain under the command of hosts, and the host’s client software will decide which devices can receive meeting keys and join meetings. “These end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems,” Yuan added.
Zoom Rooms and Zoom Phone participants can attend if hosts let them. Yuan believes this will provide what he calls ‘equivalent or better security than existing consumer end-to-end encrypted messaging platforms.’ Keybase CO-Founder, Max Krohn, is the new Head of Zoom’s Security Engineering Team, and his team of 25 employees is set to join the folks at Zoom. One can only assume it will be remotely, at least for the time being.