Hacker News new | past | comments | ask | show | jobs | submit login
Zoom End-to-End Encryption Whitepaper (github.com)
51 points by ceohockey60 28 days ago | hide | past | favorite | 30 comments

How can they offer E2E while still complying with Chinese laws?

It's not just Chinese laws, Zoom has shutdown accounts of Chinese dissidents who are residing in California.[1] This seems like more than just complying with local laws; it's actively supporting the policy of a government upon people who do not even live there.

[1] https://www.washingtonpost.com/world/asia_pacific/zoom-censo...

Quite easily. They just need to make it so that one of the "ends" is Zoom itself.

Zoom isn't an end. That's not what "end" means in the context of "end to end".

It shouldn't be, but if you don't control the software and the encryption algorithm, there's no reason why zoom couldn't just sign the content so that could evesdrop on everything.

If you don't have end-to-end encryption, then yes, Zoom can man-in-the-middle your conversation. That is how we know Zoom doesn't have end-to-end encryption.

That doesn't mean end-to-end encryption is pointless, if that's what you're implying.

Signing has nothing to do with eavesdropping.

That's simply not correct. If you don't have authentication you don't have encryption.

That’s actually what they did before. They’ve been claiming to have e2ee for a while now and their excuse when caught was just that.

It seems to me they have a way to do E2E without sacrificing quality with many participants.

It seems more like they didn't implement E2E encryption.

How so?

At https://team.video instead of lying to you and saying we do end to end encryption, we tell you that we do point to point encryption: https://team.video/pages/security

This allows us to identify the active speaker, keep some statistics on who spoke in the meeting, and rely on mediasoup's fantastic media router ("e.g. hey, we missed a keyframe there, can you give one to me?")

(edit: omit needless words)

Or... you can instead use a service with actual end-to-end encryption like Jitsi.

Yes!, at the cost of recording, speaker stats, and all participants having a pre-shared secret. Or you could use a peer to peer service that doesn't use a media router, if you have few enough participants.

Insertable streams are coming, along with e2ee through media routers. The Jitsi folks are doing great experiments there, and I'm happy they have taken the lead.

> and all participants having a pre-shared secret

This is actually a good thing.

> at the cost of recording

You can use an external application. Inconvenient? Sure, but worth it for e2ee.

Bonus: Unlike your application Jitsi is foss and does not require a centralized account.

I think if I were in your shoes right now I might use a peer to peer video conferencing application that relies on tried and true p2p e2ee (or build one, it's not hard).

Insertable streams are new, and less proven.

An honest question, do you visit sites served by Cloudflare? Is point-to-point encryption okay for your use cases there, or do you have security concerns that require e2ee for your communications?

> Is point-to-point encryption okay for your use cases there, or do you have security concerns that require e2ee for your communications?

I would actually be fine even with raw http for said sites.

How does zoom's implementation compare with the insertable stream approach that I think Jitsi were also talking about?


I think the biggest difference is that Zoom's implementation will be opaque, and Jitsi (and mediasoup's, etc.) will not be.




Aha, how did you built e2e? Is it working only in chrome with experimental flag enabled?

The person you are responding to specifically says they didn't implement e2e.

So we should try your service just because you say you won’t lie? What do you think of this white paper anyway?

You should do whatever you want to do, you are your own human.

My biggest question about Zoom's implementation is, how can we trust it? They haven't proven themselves to be trustworthy, so it's a big ask for the world to believe their latest pitch.


1. Zoom: is actively lying right now, has lied in the past, and has had numerous security breaches which were easily avoidable.

2. Team.video: This Doug W. Brunton fellow may be lying, but at least is not currently taking an opportunity to lie, and seems to have a decent grasp of the tradeoffs involved in end-to-end versus point-to-point.

So we should use your service because you don't lie, correct?

I don't think he's trying to convince you he's not lying, but rather we should promote services that encourage transparency and open standards.

Nope, I don't have a competing service.

Try again.

There are instances in every large corp in and out of the Nasdaq of lying, don't be a hypocrite.

I have done my best throughout my career to tell the truth. If you can find an example where you think I've lied, I'd be happy to clarify. So no, I'm not a hypocrite.

You're literally taking a pro-lying stance right now. Is that really who you want to be?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact