Zoom Will Be End-to-End Encrypted for All Users

Zoom is doing the right thing: it’s making end-to-end encryption available to all users, paid and unpaid. (This is a change; I wrote about the initial decision here.)

…we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe—free and paid—while maintaining the ability to prevent and fight abuse on our platform.

To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools—including our Report a User function—we can continue to prevent and fight abuse.

Thank you, Zoom, for coming around to the right answer.

And thank you to everyone for commenting on this issue. We are learning—in so many areas—the power of continued public pressure to change corporate behavior.

EDITED TO ADD (6/18): Let’s do Apple next.

Tags: cybersecurity, encryption, security engineering, two-factor authentication, videoconferencing

Posted on June 17, 2020 at 1:55 PM • 25 Comments

Comments

Edward Bear • June 17, 2020 2:12 PM

I suspect whoever came up with the “paying customers only” saw that bit of idiocy as a “they’ll have to pay us and sign up.” In effect, recruitment by force. They overlooked the fact that people do NOT react well to that sort of treatment.

I think their business will do a heckuva lot better with the new approach, if only because voluntary customers tend to be more supportive of the people they’re buying from.

sneak • June 17, 2020 2:16 PM

Now do Apple.

https://sneak.berlin/20200604/if-zoom-is-wrong-so-is-apple/

(Most of iCloud, including notes, photos(!), and backups, including your complete text message history(!!!), is not end to end encrypted for anyone, paid or otherwise.)

will • June 17, 2020 3:19 PM

It’s a positive change, but I can’t agree it’s “the right answer”. It presumes that anonymity is not helpful to democracy—somewhat ironic coming from a company in a country founded on pseudonymous communication. Had newpapers decided to “balance” privacy and safety, those people would’ve ended up in a British jail.

Sylvain • June 17, 2020 5:28 PM

So pseudonymous and building a web of contact metadata?

Jake • June 17, 2020 7:00 PM

I mean…that’s great?

I still wouldn’t put that malware on any of my machines if I can help it. What a bad company.

RatMan29 • June 17, 2020 9:20 PM

I don’t trust Zoom as far as I can throw them. They will use these phone numbers to identify Chinese dissidents, and anyone else of interest to ChiCom intelligence, and backdoor their data to the government.

Singapore Noodles • June 18, 2020 12:30 AM

@La Abeja

a certain userbase demographic

Zoom is a kind of social media. It seems to be susceptible to the ills of all social media. We can call it “social” only if we mean by the term that type of activity displayed by the two combatant sides at the wall of a besieged city. The tech lords’ proffered image of a civil chat in a gathering of friendly neighbors is wholly meretricious.

keiner • June 18, 2020 3:41 AM

@La Abeja

“The more legitimate users of video conferencing apps would perhaps be better served by a free and open source (FOSS), decentralized, peer-to-peer, …”

Why had (the real) Skype to die by getting microsofted?

Do I Really Have To Fill In The Name Every Time? • June 18, 2020 3:57 AM

So now, Chinese government (or ANY government) can just call Zoom and they will happily provide address of a “naughty boy”. There is no balance between user safety and privacy. Privacy is not a slider, it’s a tick box.

wiredog • June 18, 2020 5:36 AM

more legitimate users of video conferencing apps would perhaps be better served by a free and open source (FOSS), decentralized, peer-to-peer, make-it-yourself, do-it-yourself solution, many of which do exist already,

Yeah, and none of them are nearly as easy to use as Zoom, or Skype, Google Chats, etc. For the vast majority of users if the solution is too technical to use, they won’t use it. If you really need more privacy then you will put in the effort to learn how to use it, but most people don’t really need that.

Making Zoom “secure enough” for most uses (like AA meetings) is very easy. Require a password (it doesn’t have to be particularly good, just not easily discoverable with automated tools, the meeting name is Good Enough^TM), use the waiting room feature, require everyone to come in muted., have one or two co-hosts whose job is to monitor the other users for inappropriate names and video content.

myliit • June 18, 2020 6:33 AM

re: Zoom- 4 things or thinks

Regarding open-source Jitsi, Apparently it is straightforward to start a meeting: https://meet.jit.si/ ?

If people phone in, I assume at least audio is compromised for all users using Zoom. ?

If people don’t use the Zoom apps, I assume meetings are compromised for all Zoom meeting attendees ?

I have an old iPad 2 for Zoom meetings, which was Factory reset and is only used for Zoom meetings (only non-Apple app) with links received by iMessage. Is this a bad idea since the iPad 2 stopped getting security updates years ago?

Thanks

Petre Peter • June 18, 2020 6:46 AM

Great! Now I can have zoom meetings with my doctor.

myliit • June 18, 2020 6:59 AM

https://twitter.com/micahflee/status/1273294072900227072

“Micah Lee: Zoom will support E2EE for ALL users, free and paid! To enable it, free users must “participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message”

End-to-End Encryption Update – Zoom Blog
Since releasing the draft design of Zoom’s end-to-end encryption (E2EE) on May 22, we have engaged with a number of organizations to gather feedback.
blog.zoom.us

Micah Lee: This is so much better than only offering it to paid users. I’ve very excited about this

@JudeCNelson: Cynical take — they’ve backdoored the implementation

@micahflee: There isn’t quite an implementation yet, but when there is, if there’s a backdoor, it should be detectable. The published E2EE design looks solid, so if there’s a hypothesis for exactly how a backdoor works, it should be possible to verify if it exists

@JudeCNelson: The protocol design may be solid, but the implementation can leak data or keys in hard-to-detect ways that are indistinguishable from bugs. As far as I’m concerned, Zoom has already tipped their hand — I have no reason to assume any security bugs discovered were unintentional.

@Jude Nelson: They could rectify this breach of trust by open-sourcing their client implementation so 3rd parties can audit it for bugs in the implementation. …”

Spellucci • June 18, 2020 8:58 AM

From the zoom_e2e.pdf (https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf):

When the Zoom client gains entry to a Zoom meeting, it gets a 256-bit per-meeting key created by Zoom servers, which retain the key to distribute it to participants as they join.

I had thought that end-to-end encryption was when the key was known only to the endpoints, and not to the server in between. Do I have that wrong?

Clive Robinson • June 18, 2020 9:44 AM

@ wiredog,

If you really need more privacy then you will put in the effort to learn how to use it, but most people don’t really need that.

Sadly neither point is realy true.

Few people even supposed security experts and journalists can use the likes of PGP etc, there was a paper written more than two degades ago now called “Why Johnny can’t encrypt” at Carnegie Mellon University,

http://people.ischool.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf

Nearly a decade later another group of researchers using a newer and supposadly more user friendly version of PGP found almost all the issues had not changed, And guess what a decade and a half after the first paper another this time from researchers at Bringham Young University,

https://www.researchgate.net/profile/Kent_Seamons/publication/283334711_Why_Johnny_Still_Still_Can't_Encrypt_Evaluating_the_Usability_of_a_Modern_PGP_Client/links/59512b3ea6fdcc218d24bac9/Why-Johnny-Still-Still-Cant-Encrypt-Evaluating-the-Usability-of-a-Modern-PGP-Client.pdf

There are other papers out there about simillar usability issues. But it’s not just the crypto software it’s all the other OpSec that surrounds it’s use. A look into the real history of Ed Snowden shows just what issues he had even with one journalist who had more than good reason to be paranoid due to the way she had been previously treated by the US Gov and others. I actually wince when I see newspapers with their “whistleblower hotlines” because it’s a sure fire bet that they will fail if they even click on the link let alone try to do what they are advised to do.

But the second issue is actually more fraught and it’s to do with the likes of “The NSA record it all ‘Time Machine’ projects” and “bio-metrics”.

It can reasonably said that “we do not know our future” but we can make predictions on it. The closer we are to the basic physical make up of each individual the easier that is especially in the shorter timr scales. For instance at the lowest levels where things are time consistant we have the breakdown of radioactive particles, we do not know when each breakdown occurs but in larger quantities than a few thousand atoms we can predict the half life fairly accurately. We can also predict how much other chemicals are effected, thus we can make reasonably accurate predictions in radiological medicine. Likewise as with other atoms we can predict how likely they are to poison us or produce desired medical outcomes the same with molecules. As we get upto RNA, epigenetics and DNA we can make reasonable predictions about certain medical issues that are going to effect us as we get older. Whilst this is still a new science and we know considerably less than we will know in years to come, some larger objects such as bone and other external features are known how they are likely to change. For instance knowing your hight on your second birthday can be used as a reasonably acurate predictor of adult hight, especially if other information such as diet is known.

Thus pictures of children can be used to make good estimates of adult appearence. Other areas of medicine are progressing rapidly including that of neuroscience, where early indicators can give rise to probable behaviours in later life (something the NFL is still comming to terms with over even fairly mild head injuries). Likewise psychiatry is moving forward on mental illness prediction and events in earlier life.

Thus for someone who is still not an adult today (ie under 18-21) it is becoming rapidly easier to predict their future in less and less broad brush strokes. Which is one reason Google amoungst others are preying on children via the education system.

To think that the NSA and other Government agencies are not thinking the same way would be puting one’s head in the sand. That “record it all” policy will enable them to analyse individuals just as Theil’s Palantir system is already doing and from what can be judged so were Cambridge Analytica before they imploded. Whilst the organisations may come and go, the knowledge, and more importantly the intention continues as normal with such things at increasing pace.

Whilst we may be years away from “Pre-Crime” we are already at the point where some sort of “thought crime in potentia” is possible. But we already see large scale “Pre-Crime” systems in place. These are kind of a “brownian motion” analysis of communities that using past data and current conditions can predict where certain types of crime are more likely to happen, thus alowing a level of “targeted resourcing” in police forces.

The upshot is for children, teens and even young adults various entities can make reasonable estimates as to what you are going to be in your midlife and older. For the purposes of “state control” it matters not a jot if your future can be accurately mapped, they just need to know certain probabilities to know if you should be more intently watched or even prevented from entering certain jobs or domains of work.

We know that this is currently done very crudely in some western countries already and mostly for bad reasons that get swept under the National Security blanket/carpet. In future such methods will become less and less crude and likewise the majority of peoples life opportunities will get reduced simply because they “over shared” when younger.

Thus nobody knows how little or much security of communications they do need, thus 99.99% or more will underestimate early in life, and that may very well haunt them for the rest of their life, and even beyond into their descendents lives.

But even if they can not get “reliable results” we know based on past performance that Government Entities are going to want to do this, as will others for more commercial reasons. In effect we know from history that some of the “inmates will take over the asylum” for their own personal gain irrespective of the efficacy of the technology.

wiredog • June 18, 2020 12:14 PM

@Clive Robinson
“99.99% or more will underestimate early in life, and that may very well haunt them for the rest of their life,”
Too true. Go to any AA meeting and eventually you’ll hear someone in the 50+ crowd saying “Thank God we didn’t have cell phones with cameras back in the day” followed by lots of uncomfortable looks from the younger crowd.

lurker • June 18, 2020 6:16 PM

@myliit

Apparently it is straightforward to start a meeting: https://meet.jit.si/ ?

Oh really?

It looks like you’re using a browser we don’t support.
Please try again with the latest version of Chrome or Firefox

Sorry, there’s some part of “dummy” I don’t understand…

Leon • June 19, 2020 12:46 AM

Hello,

I won’t be too quick to give them credit. This is not E2EE – that is only the sender and recipient can decrypt it as we know it as in Signal, Wire or WhatsApp.

This podcast on YouTube will make the critic clearer:
https://www.youtube.com/watch?v=miIYxsqv92I

The discussion of E2EE is towards the end of the segment. It allows MiTM in order to give law enforcement (or whoever) to study the content. That means Zoom has your key!

It looks like it is trying to win government’s support by supporting EARN-IT act. https://www.schneier.com/blog/archives/2020/03/the_earn-it_act.html

Furthermore when the host switch on their “E2EE”, it blocks Browser, Telephone, and old version client program.

Zoom please do not use E2EE. You can call it whatever encryption but not E2EE.

Leon

myliit • June 19, 2020 5:44 PM

@lurker

“Oh really?

[…]

Sorry, there’s some part of “dummy” I don’t understand… “

Sorry if I wasted your time. Although I have visited that web page several times, probably using Brave’s browser, I never actually tried a meeting. As a practical matter, I’m sort of stuck with Zoom or FaceTime.

Mark • June 22, 2020 12:33 PM

Glad they’re taking this seriously now and changed their mind to allow it for free users with some verification, but I still refuse to use Zoom when there are less shady alternatives available (Jitsi, Meet, Duo, Skype)

SpaceLifeForm • June 23, 2020 3:20 AM

There are issues. Marketing snow.

The citizenlab research says AES 128 ECB, but zoom is saying AES 256 GCM.

The website itself may be AES 256 GCM, but the actual AV over UDP is only AES 128 ECB. Which is not secure.

Anyone that can MITM the Zoom traffic (do not need China server), most likely can discern the key via enough traffic.

Before you say, no way, it’s secured by the key!

There is way, way too much repeating ciphertext.

First, you go into “collect it all” mode.

After enough traffic, you can see the repeating traffic, because you will be able to determine frame rates, size of frame, and because, most people sitting at a computer do NOT have a constantly changing background one will be able to identify the data blocks that correlate to the same plaintext.

A chunk of ‘white wall’ in the background.

That plaintext will not change. The ciphertext will appear so.

But, I’ll bet you, that the ciphertext will leak the key over many blocks of the ‘white wall’ plaintext.

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

The Zoom transport protocol adds Zoom’s own encryption scheme to RTP in an unusual way. By default, all participants’ audio and video in a Zoom meeting appears to be encrypted and decrypted with a single AES-128 key shared amongst the participants. The AES key appears to be generated and distributed to the meeting’s participants by Zoom servers. Zoom’s encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input.

Clive Robinson • June 23, 2020 6:01 AM

@ SpaceLifeForm,

Zoom’s encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input.

We’ve seen this sort of nonsense before with A5 in the GSM specification.

Back fourty years ago, you had to “hand code in assembler” and you learnt a few tricks. Other tricks came due to people trying to make moving assembled code around easier prior to the use of memory segmentation or memory managment units. Some of these tricks got teeth because you could “hand patch” other peoples code. Thus those wanting to “unlock code” on the likes of the Apple ][ games and later those wanting to write “boot sector” and “exe loader” malware weaponised “binary patching”.

For various reasons modern code is generally not well written, which tends to make patching easier. Thus the question arises as to how hard it might be to “binary patch” Zoom either in it’s exe or at runtime?

The reason I’m thinking along these lines is not because I have any intention of doing so, but because if I was writing code that was backdoored to leak KeyMat, I would put rather more than one alternative way in to do it. Thus finding such “holes” might indicate if Zoom are “playing dumb, at others request”…

myliit • June 23, 2020 6:22 AM

Even people with “Nothing to Hide” may have “Something to Hide.”

https://www.wsj.com/articles/the-dangerous-secrets-our-working-from-home-photos-reveal-11592605931

“The Dangerous Secrets Our Working-From-Home Photos Reveal

Cybercriminals can glean many clues from scrutinizing shots of home offices and webconferences

As more people work from home during the Covid-19 pandemic, they are sharing photos of their online meetings and remote-working setups—and that’s putting their security at risk.

My research into oversharing online shows that people often don’t realize how much personal information they are revealing in photos—images of their houses and hobbies that provide clues about their usernames, passwords and other personal information. And hashtags like #WorkFromHome and #HomeOffice make it convenient for crooks to zero in on photos …”

JonKnowsNothing • June 23, 2020 10:33 AM

@Clive @All
re:

if I was writing code that was backdoored to leak KeyMat, I would put rather more than one alternative way in to do it.

iirc(badly)
During the Snowden Info-Explosion years, with NSA slides showing the years and duration of “cooperation” from all major USA internet and computer companies (I think it excluded backhaul – that was another slide) a number of new-retold-verified stories about how some of that happened without “Anyone Knowing”.

One story was that there was 1 dude in the whole company that was In-the-Pocket of the NSA and that dude inserted all the backdoors in every product that the NSA wanted access to.

Another later story about the fallout between Alex Stamos and then Yahoo! CEO Marissa Mayer over a secret coding group/programmer at Yahoo! supporting the NSA. This was an internally unknown and undisclosed group/person authorized directly by M. Mayer. When the group/person was exposed during attempts to secure the Yahoo! systems, M. Stamos was Not Amused and left.

All it takes is one.

Also, just in case folks have forgotten:
Most big tech companies have a special government interface group. These people are tasked with doing “the work” as requested by governments (world wide but cooperation varies). The governments (aka LEOs) send bat-signals and these employees do the work thus providing a legal hand-over. They often work in separate areas or offices and have few interactions with normal employees which helps maintain their camouflage.

ht tps://en.wikipedia.org/wiki/Alex_Stamos
ht tps://en.wikipedia.org/wiki/Alex_Stamos#Yahoo!

He resigned in June 2015 [from Yahoo] in response to a then-undisclosed program to scan incoming email on behalf of United States government intelligence agencies

ht tps://en.wikipedia.org/wiki/Marissa_Mayer
(url fractured to prevent autorun)

Yolaka Lemowa • May 1, 2021 8:02 AM

Hello Mr Schneier,

Hope you’re well…

This seems to be the last blog post you had on Zoom? (or I didn’t know how to search properly), but I was wondering if you had an updated opinion on the service now that a year has passed.

How much did they improve? did they follow up on promises in reaction to the backlash of last year?

Would love to hear your thoughts

Schneier on Security

Zoom Will Be End-to-End Encrypted for All Users

Comments

Leave a comment Cancel reply