Security News > 2020 > April > Security and Privacy Implications of Zoom
In Zoom's white paper, there is a list of "Pre-meeting security capabilities" that are available to the meeting host that starts with "Enable an end-to-end encrypted meeting." Later in the white paper, it lists "Secure a meeting with E2E encryption" as an "In-meeting security capability" that's available to meeting hosts.
When reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, "Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection."
The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber's company, are outside of China.
For help securing your Zoom sessions, Zoom has a good guide.
Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure.
News URL
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html