
Show HN: Zoom Redirector - arkadiyt
https://github.com/arkadiyt/zoom-redirector
======
therealmarv
I'm guessing this is related to the "Zoom monitors activity on your computer"
story
[https://news.ycombinator.com/item?id=22657384](https://news.ycombinator.com/item?id=22657384)

~~~
arkadiyt
It's something I've wanted to write for a long time, and that tweet finally
spurred me to do it. Hadn't seen the HN thread though!

~~~
vasili111
So web-based Zoom cannot detect if Zoom window is not active?

~~~
arkadiyt
It can still do that, but it can't get what programs you have running or the
other data collected by the desktop client.

Beyond the privacy concerns it's a security risk. Their desktop client had a
remote code execution vulnerability last year:

[https://www.zdnet.com/article/researcher-says-zoom-web-
serve...](https://www.zdnet.com/article/researcher-says-zoom-web-server-is-
vulnerable-to-remote-code-execution/)

------
igetspam
I had no idea there was even a web version. Does it work in Linux? Zoom often
leaves me with broken audio and I really dislike having to have more rarely
used software trying to stick around in memory. I uninstall it after each use,
purely out of spite. This is great.

~~~
runarberg
On Ubuntu + Firefox I can see other people, but I can’t hear anything, nor can
they hear me (I don’t know if they can see me)

~~~
arprocter
I believe they recommend Chrome, so you might want to give that a try

~~~
tjpnz
It's like we're back in the 90s again.

~~~
X6S1x6Okd1st
Except now the webapp is real time video and voice chat

~~~
komeijist
The joke was (at least to the best of my knowledge) that nudging people to use
chrome is further reinstating their monopoly, leading to a browser landscape
comparable to IE days, which would not quite be the 90s, but close.

------
jwr
I highly recommend using solutions based on WebRTC, which is present in all
modern browsers and is _really_ good (see
[https://www.youtube.com/watch?v=WFil-
ZPE0-g](https://www.youtube.com/watch?v=WFil-ZPE0-g) for a comparison with
Zoom).

Whereby (formerly appear.in) [https://whereby.com/](https://whereby.com/) has
a really nice and simple system. No more jumping through a dozen hoops, no
more installing software with glaring security holes and borderline malware
behavior (looking at you, Zoom).

~~~
Quanttek
How does WebRTC compare when you have a lot of callers (e.g. 20 people in a
call)? From my understanding, it is p2p, so the network throughput required
would be a lot higher, correct?

~~~
jwr
TBH, I have no idea, I have done calls with up to 8 people only. I would be
interested to know myself. Whereby seems to support up to 12 video streams,
with the rest being audio-only.

~~~
DyslexicAtheist
we've been using jit.si in 2016 which worked well but it might be overloaded
today idk. we hit some bottlenecks when trying to scale up and improved the
situation by running our own jitsi instance on a DO droplet but that too would
not scale to a large audience. I think that if you have more than 10
participants in the meeting then you have anyway other problems (the same
issues when you have too many people in a f2f meeting).

from a technical pov I still wonder if running jitsi (or another similar
solution) on dedicated hardware which is better tailored to a GPU intensive
operation. This could then be easily deployed in-house (with all the benefits:
full control and eliminating a lot of attack vectors). Seems like a cool
problem to solve while in corona quarantine.

------
tristandunn
This inspired me to finally figure out how to be able to one-click Zoom links,
with no external protocol prompt or leftover useless tab in Chrome.

[https://github.com/tristandunn/one-click-
zoom](https://github.com/tristandunn/one-click-zoom)

~~~
rbirkby
[https://medium.com/zoom-developer-blog/zoom-url-
schemes-748b...](https://medium.com/zoom-developer-blog/zoom-url-
schemes-748b95fd9205)

~~~
tristandunn
The official Zoom Scheduler extension automatically adds [https://](https://)
links to Google Calendar. I suppose I could hijack the URL earlier, but you'd
still need the external protocol prompt setting. And I guess depending on how
it's handled it could potentially avoid the need to close the tab, although it
might require permissions for every website instead. I think I'll stick with
my simple solution for now.

------
aequitas
Doesn't zoom also support h.323 and SIP[0]? There are open client available
for this [1]. Don't know how good these actually work.

[0] [https://support.zoom.us/hc/en-
us/categories/200110033-H-323-...](https://support.zoom.us/hc/en-
us/categories/200110033-H-323-SIP) [1]
[https://www.gnugk.org/h323-endpoint.html](https://www.gnugk.org/h323-endpoint.html)

------
CPLX
I used to get pretty annoyed that Zoom made download the stupid client to join
a video chat but now that I’m using it constantly I’m learning that there’s a
pretty great reason, the native app is so superior in terms of user
experience.

~~~
thedance
Or is it just that the Zoom web experience is really poor? Google Meet and
BlueJeans web UIs are great.

~~~
webo
Isn’t BlueJeans just a wrapper around zoom?

------
AgloeDreams
I really want to try this out for the specific reason of testing to see cpu
performance differences. The MacOS app is a massive CPU abuser with ~50-60%
use in meeting or sharing on my iMac 4k, it makes demoing work much slower
than reality and makes my work look slower than it even is IRL.

------
raybb
Would be great to add tampermonkey/greasemonkey support. Opened a ticket for
it

~~~
arkadiyt
The current implementation uses the WebExtension apis to perform an _internal_
redirect. When you navigate to a Zoom meeting, before the browser opens a
connection or sends a single network packet, the extension rewrites the url to
navigate to their web client.

On the other hand tampermonkey/greasemonkey are content scripts that get
injected into loaded pages. An implementation here would look like: the user
navigates to a Zoom meeting, they load the entire page, and then a script gets
injected to perform a `window.location` redirect. This will be slower and
depending on the timing of events you may even still get the Zoom file
download prompt.

So I don't think tampermonkey/greasemonkey is a good fit here.

~~~
sjnair96
Tampermonkey, I believe, can also intercept HTTP requests. Maybe that's
sufficient/necessary for redirecting to another client.

~~~
capableweb
I can't find any information around this except an open issue
([https://github.com/Tampermonkey/tampermonkey/issues/397](https://github.com/Tampermonkey/tampermonkey/issues/397)),
you got any links?

As I understand issue linked above, they want to support it but currently does
not, in official releases. What's supported is catching all requests in a
page, but that's after the contentscript has been applied to the page, which
means what arkadiyt wrote would still be accurate.

------
lostmsu
Made a WebView wrapper for Windows, that has an additional benefit of having a
separate browser profile (e.g. no crosstracking):
[https://losttech.software/Downloads/FuZoom/](https://losttech.software/Downloads/FuZoom/)

------
alimoeeny
I wish there was a solution for Cisco WebEx. To join in a browser and avoid
their application. On macos it automatically adds itself to the launchagents
(or whatever that autolaunch on login is), it is not the easiest thing to get
rid of (regular users might be stuck with it forever.

------
michaelrkn
I once used Zoom's web interface and the video quality was horrible. When I
switched to the downloaded app, it was much better. Not sure if this was a
one-off problem or an underinvestment in their web interface.

~~~
dbrgn
The web version will be using WebRTC with whatever codecs your browser ships
while the native version is able to use custom codecs.

~~~
padenot
This is incorrect. Zoom doesn't use webrtc audio and video channels, only data
channels, and has reimplemeted audio and video channels on top of that, doing
the decoding in js and probably wasm.

They also limit the resolution to 480p for the web app, probably because of
performances. Browsers and zoom both use h264, but browsers usually use vp8
instead.

There is no reason webrtc cannot offer the same quality (or better) than zoom,
at the same bit rate, but it all comes down to the actual implementation of
browsers and web apps. webrtc-based apps work well, these days.

~~~
dbrgn
Thanks for the information, I also realized that a while after writing the
comment. No wonder the experience is worse than in their native client, data
channels are still terribly unoptimized (sometimes even broken in some
aspects).

Edit: [https://bloggeek.me/when-will-zoom-use-
webrtc/](https://bloggeek.me/when-will-zoom-use-webrtc/)

------
mooreds
When I saw the title I thought it was something else. At a previous company we
had a nice url: mooreds.example.com

which would redirect to a standing zoom url. Made for a nice way to easily
start a video conversation.

------
psim1
I can’t seem to figure it out: what is the URL pattern that leads to a web
meeting rather than an app launch? I don’t want a widget. I just want to type
it in myself.

~~~
zamadatix
Looks like prefix the id in the ptah with /wc/ and postfix it with /join
though if I look at a real Zoom invite with both links it's prefix with
/wc/join e.g.
[https://example.zoom.us/j/<numbers>](https://example.zoom.us/j/<numbers>) is
[https://example.zoom.us/wc/join/<numbers>](https://example.zoom.us/wc/join/<numbers>)
for the web link.

~~~
psim1
That works! The "join" can go before or after the numeric ID. I just tried it
both ways.

------
christopoulos
Solving Zoom’s Dark Pattern no 1... great work!

------
AlexCoventry
Oh, cool. I really need this. Thanks.

------
jbverschoor
Never zoom for me ever again with their malware.

I refuse to use or install their product.

~~~
SCdF
That is great for you. For a lot of people it's becoming a requirement of
their jobs, and quitting in a global pandemic over an app seems like a non-
optimal response.

~~~
DyslexicAtheist
this attitude is actually a major part of the problem - if engineers would
consistently speak up instead about this not meeting security / privacy
standards maybe we could have nice things. unfortunately people either really
are this incompetent and don't know or lack the balls to do so. Either way we
all lose out.

zoom seriously needs to die. no friggin way I'd ever engage in a responsible
disclosure with this company - no matter who gets thrown under the bus.

~~~
SCdF
No one is saying don't speak up.

You're commenting on a post that is about a link that helps people use a web
version of Zoom, which by its definition doesn't have the malware issues that
people talk about (unless they are breaking sandboxing in the browser which
would be pretty major).

What I was replying to was the "no grey area allowed" black and white dying on
a hill response to the existence of the tool at all. This is why non technical
people roll their eyes at technical folks and ignore us, because so many of us
live in this world where we aren't willing to negotiate or hold more than a
single thought in our heads at once.

I don't want to use Zoom, I bring up alternatives at my org all the time, and
meetings that I control do not use it, and I do not install their binaries on
my own devices, instead opting to use the web client when required. But the
reality is that I don't get to make that call all the time, and if it's a
choice between using Zoom on the web and not communicating at all, then the
choice seems pretty clear to me.

~~~
DyslexicAtheist
I understand your sentiment and am even inclined to agree with it. but I have
been there before just too many times. there is always a momentum for such a
discussion as long as the product hasn't yet fully saturated the market. that
said, even if that window of opportunity is utilized by critics (e.g.
engineers and early adopters) there still is a high risk that this type of
behavior (by Zoom) gets normalized. it's the same old pattern: we create small
hacks and workarounds which nobody except a minority knows or cares about -
eventually they'll release features which we're no longer able to workaround -
by then employers consider it as a "critical software to do business" \- by
which any discussions about flaws have become impossible. (too big too fail)

if we don't speak up now and give them FIRE, then the covid19 crisis will have
been the reason why another surveillance technology gets normalized. working
under tracking a la "upwork.com" \- where marketeers decide how to screen
capture and key-log all input is somehow normal.

note: I'm not attacking your point and didn't think you agree to Zoom's way of
doing things. I just feel really strongly about not giving them any benefit of
the doubt because they have already got a history of abusing trust.

my comment in the sibling thread mentions why this literally can't be fixed
with a browser add-on:
[https://news.ycombinator.com/item?id=22662212](https://news.ycombinator.com/item?id=22662212)

again: not an attack on your comment, not attacking OP's work either. and we
probably agree on more than we disagree here by what I can tell

------
gumby
Will the drive to mass online meetings finally revive multicast?

------
DyslexicAtheist
I don't want to diss an effort made with good intentions. though this is like
using duct tape on fatally flawed design - it doesn't solve the problem. We're
dealing with an inherently hostile company which aggressively uses dark
pattern, ignoring privacy and security best practices. Not only are they
ignoring these things they actively bypass the security control on the host-
system where it is installed - this is literally what malware does. You don't
put duct tape on malware so it works better for you!

If they would be a Chinese company they'd be banned and probably even
sanctioned. Stop using this shit and stop justifying its use just because your
employer makes you use it. Grow some balls (or eggs) and speak up naming it
for what this is (malware) - so that we can all have nice things and not be
forced to engage in endlessly justifying ourselves because _" team or company
XYZ is using it too and it works great for them ..."_

~~~
skrebbel
I have absolutely no idea what you're on about. How is Zoom malware?

By "actively bypass the security" do you mean "it's a program that you need to
install on your computer"?

Can you elaborate why Zoom is malware in ways that VS Code, VLC Media Player
or Photoshop aren't?

EDIT: I mean the question honestly, as a question. I might have missed
something. I mean, I saw yesterday's HN topic on a tweet that claims it sends
info about all active programs to a server. But I saw nothing to substantiate
that other than an "attention tracking" feature which is way less invasive
than what's described in that tweet and off by default.

Did I miss the evidence, or some other damning privacy invading misfeature?

~~~
rainforest
The videoconferencing industry seems to believe it's necessary to bypass
regular OS protections to make the UX "better".

For example: [https://www.theverge.com/2019/7/8/20687014/zoom-security-
fla...](https://www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-
conference-websites-hijack-mac-cameras) By design, instead of using a URL
handler, they run a HTTP server on your machine to bypass the "open with"
dialog. There are good reasons not to trust the binaries they ask you to run.

Here, it turns out they offer a web client after all, which is nice and
sandboxed, but they default to trying to run a binary on your machine where
you have less control over what it does.

~~~
kristianc
> Update, 5:15PM ET July 9th: Zoom has published a blog post detailing its
> response to this vulnerability, including how it will patch its software and
> uninstall the webserver it has installed on Macs. More details here, and
> original story follows.

Seems like they don't, and haven't since July.

~~~
rainforest
This is an example. Why would you trust an organisation that engineers
"solutions" to security measures but does so without due care and attention
leading to a widespread critical security bug?

