Is Zoom Safe

I really did not want to be writing this blog post, but as I have been working remotely for 20 years now, and due to coronavirus, friends and family have joined me in working from home. One of my biggest pieces of advice has been to use Zoom as a meeting tool to replace anything normally done face to face.

Zoom is a no brainer really, even Bill Gates praised it as an essential tool in fighting this plague in his Ted Interview last week. That is quite something as Bill Gates owns two competing products, Skype (personal and business) and Microsoft Teams. This is funny also, as the interview itself was conducted over yet another competitor, BlueJeans.

Back to why I need to get this down on paper so to speak. Since I have been recommending Zoom, a friend has asked me on three occasions about the security of the product. He was especially concerned about HIPAA compliance, which they are. All these newcomers to remote working who have set themselves up with Zoom will be shocked to read that they aren’t end to end encrypted as Zoom has been advertising.

Well here’s the thing, it’s very common for end to end encryption not to really be end to end.

Some different cases to keep in mind. Firstly, let’s talk about client antivirus scanning products. It’s quite common that the AV engine will decrypt your browsing requests using some locally available public key, scanning the request for malicious content then re-encrypting it before you see the content.

Then, there are Web Application Firewalls and other (reverse) Proxy Servers which will also decrypt and re-encrypt both requests and posts, on the fly, checking for bad behaviour.

Both these cases where the end to end encryption are broken are essential as security measures and are accepted.

Zoom adds a dummy user to all conference calls. This dummy user which in effect breaks the idea of an end to end encryption. The dummy user is a blackbox. Its purpose is to improve on functions of the product, as admitted in the Verge article. For example, to know when to switch focus to the speaker. Do we trust Zoom does not misuse the data they are collecting? Their privacy policy is pretty clear and simple:

Zoom collects only the user data that is required to provide you with their services.

And that is really all that matters. It’s a blackbox which does not misuse the collected data. So yes, there is not really end to end data encryption, but, we accept that end to end encryption is rarely really what it says it is. In all of these cases, data is encrypted at all endpoints, so no snooping or man-in-the-middle attacks can occur. In the case of Zoom, the privacy of the conversation has to be what’s important. In the case of Firewall product, it’s ensuring there is no snooping, man in the middle attacks, and data is not malicious.

We can also mention another case: emails. If you have a Spam or an AV filter, your emails are being encrypted and decrypted scanned for spam or virii then re-encrypted. In the case of many free email products such as Gmail, their blackbox scans the email to decide what ads to serve you, I’m not keen on that case.

There were another 2 reveals I came across in the press these last couple of days. Prime Minister Boris Johnson shared a Zoom screenshot which revealed his meeting ID, that is funny, and maybe Zoom should not show the meeting ID top left. While many hackers might have tried to access this meeting, as is always good practice the meeting was passworded. There was no risk there, if you want to set some security on a meeting, you should, if you don’t and someone “falls” into your meeting, which does happen, all participants are aware there is an unwelcome guest, and you can deal with it.

And then there were the Zoom porn hacks which the Daily Mail are claiming the FBI are investigating, but really if you want to have private meetings and are worried about dick pics, set the meeting to private and use a password.

I never answered my question. So is Zoom safe? well it’s not ideal for sure, it does look like they are setting themselves up to start running ads on the free platform, so that blackbox will be doing the same as Gmail’s, suggesting and serving ads related to your conference call, and reading this at the Register you probably don’t want want to be using FaceBook to login. But there are few other options that work as well at allowing you to work remotely. There are a lot of eyes on Zooms behaviour now, so still a work in progress.

Zoom have confessed to their poor security practice, and have promised to do better, and soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.