zoom conference grid

Just like their consumer counterparts, enterprise IT execs have flocked to Zoom for all manner of meetings. But security has invariably taken a backseat to convenience and availability, as anyone who has endured a Zoom intruder knows all too well.

Zoom this week (it hasn’t yet said exactly when) will roll out its upgraded encryption option. But it comes at the cost of surrendering various popular features. And it also does not come with improved authentication and identification of users, a capability Zoom now is promising to deliver sometime in 2021.

Zoom describes its current encryption offering as adequate, but not ideal:

“This current design provides confidentiality and authenticity for all Zoom data streams, but it does not provide ‘true’ end-to-end (E2E) encryption as understood by security experts, due to the lack of end-to-end key management. In the current implementation, a passive adversary who can monitor Zoom’s server infrastructure and who has access to the memory of the relevant Zoom servers may be able to defeat encryption. The adversary can observe the shared meeting key (MK), derive session keys, and decrypt all meeting data. Zoom’s current setup, as well as virtually every other cloud product, relies on securing that infrastructure in order to achieve overall security; end-to-end encryption, using keys at the endpoints only, allows us to reduce reliance on the security of Zoom infrastructure.”

The new optional approach slated to start this week is tagged by Zoom as “a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days.” In this approach, “the keys for each Zoom meeting are generated by participants’ machines, not by Zoom’s servers. Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key.”

That is indeed a good advance for security, but it means several popular Zoom features will be disabled, including join before host, cloud recording, streaming, live transcription, breakout rooms, polling, 1:1 private chat and meeting reactions. Also, for logical encryption-key reasons, the new encryption only works in environments that Zoom can control, which means the Zoom desktop client, mobile app, or Zoom Rooms. (It won’t work if the user enters via direct browser access and certainly not if someone dials into the call.)

Copyright © 2020 IDG Communications, Inc.

Source link


Please enter your comment!
Please enter your name here