
Security and Privacy Implications of Zoom - pwg
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html
======
badrabbit
Zoom has been around for a while. IMHO, their sloppiness and privacy issues is
typical of their class of corporate software. Having used them plenty, this
does not surprise me one bit. If yoi told me the same about lync ("Skype for
business") I would not be surprised one bit either.

Just one last thing: The UNC thing..yeah lots of apps habe that issue and it
is an issue only if you have a home pc and disable windows firewall or if you
are an enterprise user and your network does not block outbound SMB (in which
case you have a whole host of problems). Pretty sure Skype and other
clients(including irc,jabber,etc...) Do it, it actually makes a lot of sense
when talking about corporate meetings, I believe it's windows that sends your
creds to the attacker, the client just makes it clickable.

------
kerng
This is a great summary of the ongoing issues, it however does miss a few
things. Including a security vulnerability in their lobby feature that has
privately been reported to Zoom by CitizenLab the other day - and which still
needs fixing.

The crypto part is really bad, because it seems potentially malicious even.

Has anyone done crypto analysis on the pwd= query parameter? Knowing their
security skills I'm wondering if that is crackable...

------
thosmos
What are some good alternatives to Zoom that are actually true end-to-end
encrypted? I know of one: [https://www.crypho.com/](https://www.crypho.com/)
and Crypho is offering free audio and video conferencing for the next 3 months
due to Coronavirus demand.

~~~
hacklivelove
what about open-source Jitsi hosted on own servers? sounds like much more
secure and controllable option. i used it just several times for group calls,
so cannot say how full the functionality list is but so far rather good
alternative to Zoom.

------
seemslegit
Now replace "Zoom" with "Microsoft" and "Google" and all the privacy abuse
aspects still hold.

------
tardyp
Calling it a disaster.. I find the security community a bit tough against
Zoom.

They traded a bit of security in favor of useability? Fair enough. They failed
to recognise AES-EDC can be attacked by very motivated cryptanalysts? Alright.

They gathered a little bit more data than they claim they did? Well, who is
not doing that?

I think they proved they can be agile. They fixed a bunch of sec issues in few
days, while growing their user base like 30x, in a shutdown period! How many
companies would be able to do that?

I am sure they will work in fixing all of those quickly. E2EE will take a bit
of time. Right. In the meantime, Zoom is working pretty darn well for talking
with 10+ family and friends while everybody is contained. Do we need E2EE for
that? probably not, but that is my choice.

~~~
seemslegit
That's AES-ECB, and it can be viewed by bored amateurs.

~~~
tptacek
No, it can't.

~~~
seemslegit
Well, for simple enough protocols and bored enough amateurs

