
Zoom to bring end-to-end encryption to all users, including non-paying - jmsflknr
https://blog.zoom.us/wordpress/2020/06/17/end-to-end-encryption-update/
======
hypewatch
I find this story arch with Zoom amusing:

1\. Pre-COVID Zoom claims it has E2E encryption for everyone.

2\. During COVID Zoom grows in popularity, which prompts journalists to learn
that the claims that Zoom has E2E encryption are inaccurate.

3\. Zoom admits that it never had true E2E encryption, but announces they will
develop it and it will only be available for paying customers.

4\. Zoom gets another wave of criticism for restricting its new E2E encryption
service so it walks back to its original message that all accounts get E2E
encryption.

Given their track record I’d expect this timeline to repeat itself so after
they release this E2E encryption feature, security researchers will discover
that it’s not true E2E encryption again.

~~~
reaperducer
Another way of looking at it is that Zoom is learning from its mistakes and
making improvements that the market demands.

I'm no Zoom fan (I'd even use BlueJeans first), but people on HN are always so
eager to crucify a company for its past. If it made mistakes, get out the tar
and feathers! If it doesn't fix those mistakes, get out more tar and feathers!
If it fixes the mistakes, even more tar and feathers!

~~~
hypewatch
A generalization like “people on HN are always...” coming from a 3yr old HN
user with 20k+ karma points looks like a case of the pot calling the kettle
black.

Criticisms of large corporations is a healthy part of the HN community IMO. In
fact, if we didn’t criticize Zoom they might still be lying about their E2EE
capabilities.

~~~
skinnymuch
A majority of the alternatives put up vs Zoom here outside Jitsi come from
Verizon, Microsoft, and Google. Seems more like the routine of being super
anti something specific. Like Facebook before and now. Among others.

------
fsflover
"To make this possible, Free/Basic users seeking access to E2EE will
participate in a one-time process that will prompt the user for additional
pieces of information, such as verifying a phone number via a text message.
Many leading companies perform similar steps on account creation to reduce the
mass creation of abusive accounts."

Perfect instrument to collect more personal data.

~~~
Aunche
Is there any E2EE app that doesn't require verification? Whatsapp does. Even
Signal requires a phone number.

~~~
2StepsOutOfLine
[https://riot.im/](https://riot.im/) lets you sign up without even an email

------
vulcan01
This is the same company that said that it "won't encrypt free calls so it can
work more with law enforcement"[1]. I'd stay away.

[1]:
[https://news.ycombinator.com/item?id=23399924](https://news.ycombinator.com/item?id=23399924)

~~~
topher200
This blog post specifically says that it's a walk-back of the policy announced
in your link.

~~~
shaggyfrog
Why trust any company that put out the initial policy in the first place?

Have they had a fundamental turnover in management, indicating a new pro-
privacy culture? Did they move their development out from under the thumb of
the CCP?

No and no?

So what’s changed?

If they weren’t trustworthy before, they certainly aren’t now.

~~~
adrianmonk
One thing that has changed is that their userbase broadened.

They were mostly focused on workplace meetings. If that's your focus, then
most of your users are employees of some company whose contact information you
have. Users with unverified identities are a corner case that you may not feel
is worth trying to get right.

Thanks to the pandemic, they have millions of new users who use Zoom for
personal purposes (meeting with friends and family, etc.). What once was a
corner case isn't anymore. It might even be their most common type of user.

I'm not arguing that Zoom can necessarily be trusted, but I can see a
plausible reason how they could have gotten to where they are on this issue.

~~~
user982
_> One thing that has changed is that their userbase broadened._

Their userbase changed in the two weeks since they announced their policy?

~~~
adrianmonk
I agree they should be cluing in by now. I'm just saying it could be growing
pains from shifting from a B2B business to a B2C business. That difference has
huge effects on product design and on your mindset. Being slow to realign your
mindset with reality isn't necessarily the same thing as being dishonest or
disreputable.

But yeah, while feeling that you can't trust them because they don't know what
they're doing is not the same as feeling that you can't trust them because
they're in cahoots with someone (governments, etc.) against your interests, in
the end they're both forms of feeling that you can't trust them.

------
rgovostes
Aside from whatever the Zoom news story of the day is, it's completely
unsurprising that they're eating WebEx's lunch. I just tried scheduling a
meeting and it was outrageously bad.

The bright green "Start" and "Schedule Meeting" buttons just pop up an error.
The correct button to progress is the dark grey (as if disabled) "Next"
button.

It prompts me to create a "personal conference number", whatever that is. This
errors and tells that I need set a PIN in my preferences. I search for the
preferences for a while and eventually find that I _do_ have a host PIN set...

At this point I gave up.

Gripes on the participant side: Why does it ask me to provide my name in the
browser when joining a meeting before launching the app which already _knows_
my name? Why do I have to manually press the refresh button to discover
scheduled meetings?

Cisco pulled a Boeing with the development of one of their crown jewels, and
Zoom swooped in, even with shady practices, and snatched up significant market
share.

~~~
duxup
I think Cisco bought webex largely because Cisco's big expensive conferencing
hardware / software were under threat and they wanted in on what would replace
it.

Cisco itself has time and again bought its way into things that aren't their
core competency and they fumble around with them.

They bought Flip video for 590 million years ago, despite the fact that every
person in Cisco's office had a smart phone in their pocket that would render
it relatively useless...

I think video conferencing applications are often doomed to turn into behemoth
messes for some reason that I can't figure out.

~~~
redis_mlc
Since Zoom's first 41 employees were from Webex, somebody should compare the
streams and files and see if there are similar markers.

------
jaredtn
It’s still only opt-in. Users have to submit an application (including text
message verification and other personal info) to gain access to E2E
encryption. Zoom has shown that it does not care about privacy.

~~~
robotfelix
Isn't it fair to say that this brings Zoom more-or-less exactly in line with
the privacy vs law enforcement balance of a normal telephone call?

Writing from the UK, I'm reasonably sure that (a) all my phone calls are not
recorded and (b) the phone number and duration of every call absolutely _is_
recorded (this has to be shown on your phone bill!) and is available to the
police when needed.

Speculating further, with the right court orders / warrants the normal E2E
encryption algorithm for a particular user could be replaced with a "law
enforcement decryptable" one and, hey presto, it's a Zoom equivalent of a
proportionate wiretap that only covers future calls. Certainly a lot better
than encrypting the calls of all users with such an algorithm "just in case".

~~~
samatman
Why on Earth would you trust Zoom, a company which has repeatedly done
extremely sketchy things, to implement their closed-source proprietary
platform in this specific way?

It would be easier to just lie about the encryption being end-to-end.

Personally, I will never use Zoom for anything, a decision I came to when my
OS vendor (Apple) pushed a security update for my OS _to get rid of Zoom_.

~~~
robotfelix
I wasn't really trying to comment on their overall trustworthiness - I just
don't think you have to stretch very far to imagine how a conversation between
≥1 Zoom employee who genuinely does care about privacy ("our users are
demanding E2EE") and law enforcement agencies ("we demand or are entitled to
certain powers") might have resulted in the offering being announced today.

------
surround
> All Zoom users will continue to use AES 256 GCM transport encryption as the
> default encryption, one of the strongest encryption standards in use today.

I’m glad that Zoom is finally implementing E2E encryption, but I hate that
they have been (and still are) advertising “full encryption” and using jargon
like “AES 256 GCM” to deceive users into thinking they’re using anything more
than SSL.

~~~
SV_BubbleTime
Worse than that. Saying AESGCM doesn’t even mean they are using SSL or DH key
exchange or etc. it just means they’re using symmetric for the data, that’s
all. Nothing about how the key is securely transferred to each side and how
the user can have any confidence they aren’t passing the key back to
themselves anyhow.

~~~
kayfox
They use TLS, they have been using TLS this whole time.

This E2E encryption is on top of TLS.

~~~
SV_BubbleTime
I see, but transferring the AES key directly over TLS is the worst scenario
because now you be certain Zoom has it, no?

------
botto
I'm quite frustrated they are calling this end to end. I can't find it now but
a tweet earlier indicated that they have the keys and can help law enforcement
with investigations which means it's can't be end to end.

~~~
yepthatsreality
It’s the new corporate offering of e2emitm

~~~
anticensor
or rather, e2e2e

~~~
dane-pgp
End to Eavesdropper to End?

~~~
anticensor
End to End to End :)

AB/BC link encryption is the correct way to refer to such a scheme.

~~~
dane-pgp
If we're being serious, then then another term used is "hop-to-hop
encryption", as in [0]:

"Unlike PGP and S/MIME, STARTTLS provides hop-to-hop encryption (TLS for
email), not end-to-end."

[0] [https://www.eff.org/deeplinks/2018/06/technical-deep-dive-
st...](https://www.eff.org/deeplinks/2018/06/technical-deep-dive-starttls-
everywhere)

------
jupp0r
Correct me if I'm wrong, but calling this E2E encryption is a marketing stunt.
If I model Zoom as a malicious entity (or them being compromised by a third
party), confidentiality is still compromised. This is different to what we
normally understand under E2E, where I only have to trust the people I
communicate with.

~~~
ryanmcbride
Very true. If Zoom handles the encryption and decryption on their servers,
rather than fully on the client's machine, then they can still "listen in".
The only way I would trust their E2E is if they can't see or hear what's
happening too. It's wild to me that companies I've worked for that have insane
privacy and on-prem server requirements, will use Zoom no questions asked.

------
paulcarroty
Too late, Zoom. I believe yet another security fail is just matter of time.
Also don't wanna

* be banned by Chinese government order like [https://arstechnica.com/tech-policy/2020/06/zoom-cites-chine...](https://arstechnica.com/tech-policy/2020/06/zoom-cites-chinese-law-to-defend-censorship-of-human-rights-activists/)

* send my IPs to servers in China.

------
gfodor
with closed source, hosted software E2EE is as much about trust as it is about
technology since you can't verify its implementation. arguably, if trust is
there, E2EE doesn't get you much anyway other than for scenarios where the
company itself is breached.

in any case, if the trust isn't there, you can't validate the E2EE, so your
risk profile with regards to using the software doesn't change much.

~~~
SahAssar
You can verify closed source E2EE as long as you can inspect the traffic going
client-server. The problem is that most E2EE apps allow auto-updating, so
baking in something that transmits info to a third party is easy (but
detectable with enough eyes on the code).

~~~
gfodor
But what's stopping the software from, say, having a backdoor that is only
exposed under certain conditions? For example, if you are under an FBI
investigation. I suppose you could automate the verification on a per-call
basis. Unfortunately, every bit over the wire would need to be seen by a fool-
proof algorithm to ensure your safety. Seems not tractable.

~~~
SahAssar
Agreed. You can only verify E2EE for the traffic you inspect, not for traffic
you don't. If they open-sourced the client it'd help a lot, but I'd also like
to point out that you probably have stuff in your current device that has DMA
and network access that is not open source either (PSP, IME, 4G modem, and so
on) and that could break that encryption too.

If you are under serious investigation I wouldn't trust anything "smart"
manufactured in a country under that investigations jurisdiction.

~~~
gfodor
Yup fair point. Circling back to Zoom, I think the trust part of this has been
violated enough that such an inspector tool ought to be considered strictly
necessary to use it if you are security minded. So in the end, there's not
much of a point to the announcement imo.

------
lindgrenj6
I think this is too little too late, mine (and many other's) opinion on them
has been tarnished.

Good for them, but it's still going to be an uphill battle imo.

------
thevagrant
Personally, I'm not feeling comfortable using Zoom on my PC. Just the other
day, when opening the app, I was given a warning that the security certificate
was untrusted and I would need to trust the certificate to proceed.

I tried updating the app and the same error occurred. Perhaps their cert had
expired or it was some oversight but I'm done. I've removed Zoom.

~~~
RandomBacon
I only have it installed on a spare laptop that I leave off unless I'm doing a
meeting.

100% do not trust.

~~~
dhosek
I only use it on my iPad. It's not getting anywhere near a non-locked down
system.

------
mikece
Has Zoom ever had their application(s) audited for security? Without an
independent, external audit I don't know why they should be trusted that
they've actually done e2e completely or correctly.

~~~
gruez
Any E2E implementation is worthless if the service provider controls the keys
and doesn't allow the user to verify it (or alerts the user in the event of a
key changing). Otherwise the service provider can simply swap the keys when
they want to eavesdrop on someone and the users would be none the wiser. I
don't believe that zoom has such measures, so any audit into whether E2E was
implemented properly is pointless.

~~~
a1a1a1a1a1a1
That was my thought exactly, but I read the zoom whitepaper
([https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom...](https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e_v2.pdf)),
and it looks like the scheme addresses many of those issues.

Some things that looked like good steps:

> we will allow the SSO IDP (Identity Provider) to sign a binding of a Zoom
> public key to an SSO identity, and to plumb this identity through to the UI.

> Second, we allow users to track contacts’ keys across meetings. This way,
> the UI can surface warnings if a user joins a meeting with a new public key.

> we will implement a mechanism that forces Zoom servers (and SSO providers)
> to sign and immutably store any keys that Zoom claims belong to a specific
> user, forcing Zoom to provide a consistent reply to all clients about these
> claims. Each client will periodically audit the keys that are being
> advertised for their own account and surface new additions to the user.

> In Phase IV, we look to the future where Bob should sign new devices with
> existing devices, use an SSO IDP to reinforce device additions, or delegate
> to his local IT manager.

All of this of course relies on a zoom client actually doing everything
described in the whitepaper, but it certainly looks like a good faith effort
to implement real, functional e2ee

------
Jeaye
Zoom is a closed-source application. Even if it implements perfect E2EE, you
still need to trust the Zoom client itself. I don't see any reason why someone
would trust the closed-source Zoom client, which means that E2EE basically
means we're back to square one.

------
tompic823
I commend Zoom for listening to the outcry over E2EE being limited to paid
users. Between this move and their quick acknowledgement of mishandling the
shutdown of accounts when asked by China, they're doing a better job than most
of responding to criticism.

~~~
A4ET8a8uTh0
Agreed. I am always confused about the smackdown following a reversal from an
arguably bad decision. We should be welcoming in hopes other companies note
that being responsive is a good thing.

Otherwise, it is just being stuck between rock and a hard place with no place
to move.

~~~
Nullabillity
What good are the apologies when they keep making new "mistakes"?

~~~
A4ET8a8uTh0
I would argue that it is harder on us as it requires engagement and being a
conscious customer.

Sadly, it is not really new. Companies will typically attempt to extract
maximum amount of milk with minimum amount of moo. If they keep making
mistakes, we need to keep making noise.

Not fun, but someone has to do it.

------
rickyplouis
Does end to end encryption help when it's known that much of the traffic is
routed through China? Genuine question.

~~~
josephcsible
Yes. The whole point of end-to-end encryption is that your data is safe even
when it goes through untrusted servers. (I know they might have a backdoor, or
might screw it up somehow. But in principle, if they do it securely, then this
holds.)

~~~
vulcan01
Is it possible for Zoom / the CCP to hold the encryption keys? That would make
it insecure, right? (genuine question).

~~~
ajzinsbwbs
If implemented correctly, the server doesn’t get the key. Look up
Diffie–Hellman key exchange for more information on how this is possible. This
can be verified by auditing the client so you don’t need to trust Zoom.

~~~
bonestamp2
What do you mean by auditing the client... Like audit the source code or
something that we could do independent of the source code? (serious question)

~~~
botto
You can audit the client either through source code or through very painful
binary analysis.

------
cletus
To anyone who likes to argue Zoom is a US company, I'm sorry but that argument
holds no water for me after this [1]:

> The statement raises questions about Zoom bowing to Chinese pressure. Unlike
> many Western social media platforms, it is not blocked in China. The company
> did not explain under what law the meetings – which were hosted outside
> mainland China – were deemed to be illegal.

For meetings outside of China where the Chinese government should have no
jurisdiction, Zoom choose to cooperate.

Some obvious follow-up questions:

1\. Where will the keys be stored? On servers in China or elsewhere? Will it
depend on where the account holders are? Or are the private keys truly local?

2\. What safeguards are in place to prevent further "cooperation" with Beijing
in relation to supposedly encrypted traffic?

3\. Zoom is not blocked in China, which is pretty rare for a supposedly US-
based company. What concessions did they make to get this exemption?

4\. Under what circumstances will any of your data be stored in, routed
through or otherwise be accessible in mainland China?

Given China's philosophy that Chinese companies are nothing more than
extensions of the state, these are entirely reasonable questions to ask. Were
I the decision maker for any large company or government organization, I
personally would consider use of Zoom to be too much of a security risk. And I
don't think that's the slightest bit alarmist.

[1]: [https://www.theguardian.com/world/2020/jun/12/zoom-admits-
cu...](https://www.theguardian.com/world/2020/jun/12/zoom-admits-cutting-off-
activists-accounts-in-obedience-to-china)

------
JosephRedfern
How exactly does E2E encryption work for something bandwidth intensive like
Zoom? It can't possibly be encrypting the stream with a different key for
every participant, the bandwidth requirements would be impossible.

Is a new key generated for each stream, which is then individually encrypted
with every other participants public key, and then sent to the participants
for them to decrypt?

~~~
phyzome
Here's their whitepaper, linked in the post:
[https://github.com/zoom/zoom-e2e-whitepaper](https://github.com/zoom/zoom-e2e-whitepaper)

------
Fice
A communication service should use an openly specified protocol allowing
independent client and server implementations, otherwise it's hostile to
internet freedom. I believe that we should not recommend and should avoid
using a service that does not meet this requirement, no matter what features
it offers, including E2EE.

------
smartbit
Super. Would be interesting to see how good it scales. 200 people in a town-
hall meeting will be an interesting engineering challenge I would think.

~~~
willcipriano
Diffie–Hellman[0] is pretty cheap, you do it every time you visit a site with
SSL enabled. Having the meeting leader do it 200 times to pass around a shared
key generated on the client would be e2e and have minimal if any performance
impact. There is probably a cleverer way to do it that I'm not aware of as
well.

Edit: One issue is the client can run out of entropy but I think that would
only happen on modern operating systems if you had hundreds of thousands of
clients to negotiate with.

[0][https://en.m.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_e...](https://en.m.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)

------
scared2
Zoom is fishy.

Some time ago I had to give lecture to a company who only has zoom as an
option. I fired up a VM, installed zoom. Gave the lecture. Deleted the VM.

------
khanan
Oh god... Let this die already, they had their chance -- it's gone. Nobody in
their right mind would touch Zoom with an 10" pole.

~~~
fsflover
I wish it was true. Every meeting at my job requires Zoom.

~~~
0xy
Then your job has security staff so careless that they don't care about IP
exfiltration to China.

------
tw04
Give us your mobile number so we can hand it over to the PLA so they're able
to launch targeted attacks at dissidents?

~~~
YarickR2
Are you dissident ? Know any ?

~~~
dane-pgp
“No one is free until we are all free.” -- Rev. Dr. Martin Luther King, Jr.

------
shuringai
After their comment on how willing they are to cooperate with FBI and law
enforcement I can only believe in this PR stunt if they make the code open.
Otherwise it's safe to assume a backdoor

------
kevwil
At this point, it's "fool me once, shame on you, fool me twice, shame on me",
like it's tough to believe anything they say at this point.

------
zentiggr
Zoom seems to be a poster child for the surveillance state.

Does anyone reasonably want their "encrypted" conversation to route through
servers physically in China?

~~~
lkbm
If they're actually encrypted, I don't care much security-wise, but I do
performance-wise. Given that Zoom works reasonably well, I very much doubt
that they're sending all my data to and from China. You don't run a service
like this without servers in lots of places.

I'd hope that when I Zoom with my coworkers two miles south of me in Austin,
we're using AWS/Azure/Google Cloud/whatever servers in Texas, or at least
within a couple thousand miles.

------
pigubrco
Google Duo also just announced that they will now support up to 32-person
group chats that is rolling out slowly to all platforms. But more importantly,
they will be e2ee:
[https://twitter.com/Emad_Omara/status/1272919561789005826](https://twitter.com/Emad_Omara/status/1272919561789005826)

------
montroser
Good to see they're listening and customers are able to bring some
accountability here. But it still seems like their heart isn't really in this
move.

At work we have been looking at two fantastic "indie" alternatives:

[https://whereby.com](https://whereby.com)

[https://team.video](https://team.video)

------
av_engr
I'm still skeptical about everything they propose as "secure" and "safe" after
all the previous security issues and censoring meetings for the memorial of
the 1989 Tiananmen massacre. Also, the one-time verification thing with phone
number verification?...

------
jpg191
If it is nonfree, there is no way to know if generated keys are private. There
is no way if there is a backdoor. There is no way to know if that mandatory
update will install it.

Give me a Free software client and an open and reliable standard to encrypt.
Otherwise, this is bullshit.

------
BiteCode_dev
As long as zoom is closed source from end to end, they could pretend to use
quantum entanglement over IP, for all I care.

I still use it, don't get me wrong. My threat model for the use case that I
make of zoom does not need strong encryption, only being script kiddies proof.

------
wskinner
> E2EE as an advanced add-on feature for all of our users around the globe –
> free and paid

How will they square this with the censorship required of them in China?
Presumably they are not going to shut down the service in China.

------
miga
"Yes we made fraudulent claims to our users, but we will make up for you: we
promise to cheat you less in an indeterminate future."

Is that what you tell to the judge to decrease your sentence?

------
ngcc_hk
Weibo approach; give your personal info and grow from there. Lots of info to
pay with x00m ... World can’t trust they hold my record and share it with Gov
(including and in particular chinese gov). The balance is not transparent. And
you are not sure ... for the one I have no choice like studying my 2nd master
degree. But the one I have ... a big NO. Already have google and Facebook that
know a lot about me than myself. Do not want #ccp as well.

------
ashtonkem
Another day, another company back peddling in a hurry after a predictable PR
snafu, only to discover that they burnt good will for nothing.

You’d think they’d learn, but alas.

------
p4bl0
Well, as usual with their blog I'm redirected to the French blog home page
instead of the linked article. So I guess once again I won't read that PR.

------
TedShiller
Except that Zoom's "end-to-end encryption" is technically not "end-to-end", as
previously discussed.

So what are they actually announcing then?

------
leazzz
Big brother still watching you.

------
albntomat0
How do other free group video chat services handle e2e encryption? I remember
hearing that most do not, but cannot find good, up to date sources.

------
pieq
I've read several articles about this, from US, UK and French sources, and
none of them mention alternatives like Jitsi. Is it just a lack of knowledge?

I've tried Zoom once, it was a disaster. I've tried Jitsi, it was much better.
Moreover, Jitsi doesn't require any installation on the client side, and you
can host your instance or join an existing one (you trust).

------
rihpooo
That's actually very common, most online conferencing systems will say they
are end-to-end encrypted when they actually aren't/they consider end-to-end to
be from your client to the server. This was a big issue when we were selecting
a supplier for such a solution and actually wanted to use a cloud solution but
none of them had proper end-to-end encryption.

------
BadOakOx
Does their E2E even matter if they are using flawed encryption?

[https://theintercept.com/2020/04/03/zooms-encryption-is-
not-...](https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-
for-secrets-and-has-surprising-links-to-china-researchers-discover/)

------
sneak
Now do Apple.

[https://sneak.berlin/20200604/if-zoom-is-wrong-so-is-
apple/](https://sneak.berlin/20200604/if-zoom-is-wrong-so-is-apple/)

(Most of iCloud, including notes, photos(!), and backups, including your
complete text message history(!!!), is _not_ end to end encrypted for anyone,
paid or otherwise.)

------
deviation
Don't know about you guys, but I think Zoom is the last place I'll be sending
AWS secrets to my team over.

------
exabrial
What if we want high performance calls instead because our attack surface
doesn't include the need for E2E?

------
YarickR2
Rule #1 - whatever you do , you won't please HN crowd unless it's FOSS
residing in Switzerland .

------
xtat
I mean they got pushed into it lol-- how do you know you can trust it anymore
than say, facebook?

------
keyle
So, they're announcing a feature they've already said they had but didn't?

------
kahlonel
I can't wait for the quarantine to be over. I'm tired of this Zoom-mania.

------
idoh
Zoom will always do the right thing, after exhausting all the other options.

------
tylergetsay
Doesn't video conferencing require some kind of server encoding for each peer
based on their bandwidth?

If I am sending fully encrypted high resolution video, wont a slow mobile
device have trouble receiving it?

------
antpls
So what about "compliance with FBI" ? I thought no end to end encryption for
free users was initially a move to keep FBI at bay / "comply" with regulations

------
Wheaties466
Whatever happened to Go to meeting? Why did they fail to adapt?

------
m3kw9
Is funny how people deriding Zoom either they give E2E or not

------
pmlnr
Question: how much performance overhead is e2e encryption on video? Most
people are not on endless cores sitting in liquid helium.

------
AcerbicZero
Zoom is just the herald of the kang gang. I feel bad for the kids who picked
up those ZM 250C's 6/19 the other day.

------
Technetium
I still don't trust them with anything.

------
huxflux
How many times can a software producer let the end-customer down and still get
away with it in 2020?

------
cryptozeus
I am surprised at how unforgiving everyone is here. Zoom owned their mistakes
publicly and trying to improve on that as soon as possible. How much more can
you get ? Looking back you can see such incidents with all kinds of companies
like faang. Don’t buy into surface level news and get outraged. This is a
fantastic product and I think they deserve a chance to correct themselves.

~~~
0xy
The difference is that Zoom is developed almost entirely within China, making
them beholden to CCP influence and laws.

Can you name a single company in China that offers true E2EE? All the
messaging apps are utterly compromised and running real-time surveillance and
censoring, for example.

------
Sektor
My instant 'WTF' reaction to this was - Is Zoom traffic currently unencrypted?

------
gregjw
Not worth celebrating.

It's ridiculous they've been dancing around this for so long.

------
thedudeabides5
Does anyone know if our data still goes through mainland Chinese servers?

------
jliptzin
What does Zoom do that other free services (google hangouts) do not do?

~~~
InternetOfStuff
Breakout rooms, for instance?

Better video quality?

Dual-screen mode?

Or simply the superior video and audio quality compared to Meet.

I wish I could move away from Zoom, but I've yet to find something similarly
useable for my use case (remote trainings).

------
tryamtamtam
For networking meeting really recommend use Connect.Club video app.

------
jonny383
Zoom will be the new Skype in 2021, post-covid.

------
gdsdfe
Haha no one is riding the wave like zoom!

------
f0ok
They are probably using keybase ;)

------
2squirrels
My trust in zoom is lost regardless of how they handle things from here on
out.

------
mikekij
Too late.

------
Snelius
too late

------
AlGnERAl
thanks

------
substar7
Anyone used this site to purchase traffic?
[https://andwebtraffic.org](https://andwebtraffic.org)

------
v0tary
What? This isn't a thing already?

------
xenospn
Does anyone actually trust Zoom, though?

------
TLightful
Too late. Trust broken.

------
LibertyBeta
Doesn't help if they close down your account for saying the wrong thing....

------
zentiggr
I've got to wonder who wants their e-to-e connection to root through servers
physically in China.

Zoom seems to be a poster child for the surveillance state.

~~~
hungryhobo
What does this even mean? E2e is specifically designed to address this
problem.

------
dr0wsy
Zoom is primarily an enterprise product. They have chosen to have some form
off verification to lower the amount of abuse on their platform.

If you want privacy you simply have to choose another product or service.

You aren't entitled to use their service without paying for it.

