Just out a few hours ago:
‘Zoom is malware’: why experts worry about the video conferencing platform
on Thursday, the company announced it would freeze all new feature development and shift all engineering resources on to security and safety issues that have been called to attention in recent weeks.
Zoom meetings can be accessed by a short number-based URL, which can easily be generated and guessed by hackers…
A report from Motherboard found Zoom sends data from users of its iOS app to Facebook for advertising purposes, even if the user does not have a Facebook account.
The Guardian article seems a bit overdone to me. For instance, it raises the end-to-end encryption controversy, mentioning that Zoom apologized but not mentioning the rationale for what Zoom actually does encryption wise and why true end-to-end encryption isn’t actually possible in all circumstances. What should be discussed is whether that since Zoom obviously has the ability to decrypt on its servers, do we trust Zoom to not perform this decryption?
For instance, in Zoom’s statement (https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-… ), they say:
we have created specialized clients to translate between our encrypted meetings and legacy systems. We call these Zoom Connectors, and they … are effectively Zoom clients that operate in Zoom’s cloud.
So, it’s clear that Zoom does have the ability to decrypt in their cloud. And they try to calm us down by saying:
Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes
This doesn’t really address enough of the issues. The “live” qualifier leaves open whether Zoom can decrypt recorded meetings, perhaps Zoom even recording meetings without users being aware. And the “for lawful intercept purposes” is another disclaimer, leaving open other reasons for decrypting meetings. And they do! They just admitted they decrypt to support clients that can’t decrypt. Obviously, that’s a really good reason to have that capability, but they can’t say they don’t have the capability.
What would be interesting is to know how secure any of the other video conferencing services really are. Is Cisco’s Webex any more secure, for instance?