A new document from Zoom illustrates how the company hopes to beef up the security and privacy of its virtual meeting platform.
As the coronavirus has forced quarantines, there's been a surge in demand for virtual meeting and video chat apps. Though many such apps have seen an increase in use, Zoom has been one of the top beneficiaries, popular both with individuals and organizations. But Zoom has also been criticized for its weak security and privacy measures, leading to problems such asZoom bombing. Further, Zoom currently lacks the full type of end-to-end encryption that more traditional business services employ. A document posted by Zoom on Friday explains how the company hopes to more fully protect sensitive meeting data and communications.
In its Friday blog post, Zoom announced the draft publication for its end-to-end-encrypted offering. Contending that security and privacy are the two "pillars" of its new plan, Zoom has published its document on GitHub for peer review, hoping to kick off discussions and get feedback from cryptographic experts, nonprofits, advocacy groups, and customers.
SEE:Zoom 101: A guidebook for beginners and business pros(TechRepublic Premium)
Zoom meetings currently offer encryption but with certain limitations. Encryption is used to protect the identity of users, call data between Zoom clients and Zoom's infrastructure, and meeting contents. When a Zoom client is authorized to join a meeting, that client is given a 256-bit security key from Zoom's server. But the Zoom server retains the security key provided to meeting participants, thereby lacking true end-to-end key management and encryption.
The lack of full end-to-end encryption means that an attacker who can monitor Zoom's server infrastructure and gain access to the memory of the relevant Zoom servers could defeat the encryption for a specific meeting. As such, that person could then view the shared meeting key, derive session keys, and decrypt all meeting data.
To fix some of its security holes, Zoom outlined the goals of its proposal as follows: 1) Only authorized meeting participants should have access to their meeting's data; 2) Anyone excluded from a meeting should not have the ability to corrupt the content of that meeting; 3) If a meeting participant engages in abusive behavior, there should be an effective way to report that person to prevent further abuse.
To advance its goals, Zoom has organized its proposal into four phases.
Phase 1. In the first phase, every Zoom application will generate and manage its own public/private security key pairs with those keys known only to the client. The clients will be able to generate and exchange its session keys without needing to trust the server. During this initial phase, this specific security key improvement will support only native Zoom clients and Zoom Rooms, and only scheduled meetings.
Phase 2. In the second phase, Zoom plans to unveil two features for users to track each other's identities without having to trust Zoom's servers. One feature is an Identity Provider Initiated Single Sign-On (SSO IdP) that can cryptographically vouch for the identity of each user.
Phase 3. In the third phase, Zoom will launch a feature that forces its servers to sign and immutably store each user's security keys, ensuring Zoom provides a consistent reply to all clients about the keys. This will be created through a "transparency tree," a feature similar to those used in Certificate Transparency and Keybase.
Phase 4. In the final phase, devices will be even more strongly authenticated. A meeting participant will have to sign new devices using existing devices, use an SSO IdP to reinforce device additions, or delegate authentication to an IT manager. Until one of these conditions is met, the participant's devices will not be trusted.
With these new security initiatives, Zoom also proposed certain changes to its client application.
The interface for setting up a meeting will feature a new checkbox called End-to-End Security. If this box is checked, the "Enable Join Before Host" checkbox becomes grayed out and deselected, the cloud recording feature becomes disabled, and all clients must run the official Zoom client software; those using the Zoom website, legacy Zoom-enabled devices, or a dial-in connection will be locked out of the meeting.
After the meeting starts, all participants will see a meeting security code they can use to verify that no one's connection to the meeting was intercepted. The host can read this code out loud, and all participants can check that their clients display the same code.
"We have proposed a roadmap for bringing end-to-end encryption technology to Zoom Meetings," Zoom said in its document. "At a high level, the approach is simple: use public key cryptography to distribute a session key to a meeting's participants and provide increasingly stronger bindings between public keys and user identities. However, the devil is in the details, as user identity across multiple devices is a challenging problem, and has user experience implications. We proposed a phased deployment of end-to-end security, with each successive stage giving stronger protections."
After reviewing the feedback from customers and other interested parties, Zoom will update and refine its document and finally announce its plans for deploying the new end-to-end encryption and other security enhancements.
This is your go-to resource for XaaS, AWS, Microsoft Azure, Google Cloud Platform, cloud engineering jobs, and cloud security news and tips. Delivered Mondays
Image: Alistair Berg / Getty Images
- How Tencent is bringing the storm clouds to arch-rival Alibaba - Tech Wire Asia - July 6th, 2020
- Unsecured servers leaked data of millions of users of dating sites and apps - TEISS - July 6th, 2020
- How Ather Energy is leveraging the Cloud to build and scale smart mobility solutions for India - YourStory - July 6th, 2020
- Nextcloud, the open source platform that allows you to install and configure your own personal cloud on a web server - Explica - July 6th, 2020
- The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide - China Law Blog - July 6th, 2020
- Scientific Thinking: Processes, methods, and approaches with reference to Deep Tech - Web Hosting | Cloud Computing | Datacenter | Domain News - Daily... - July 6th, 2020
- 5 Best VPNs to consider in 2020 - Techiexpert.com - TechiExpert.com - July 6th, 2020
- Huawei Rotating Chairman Highlights Practices and Prospects of 5G in Digital Transformation for Industries at GSMA Thrive - Al-Bawaba - July 5th, 2020
- AIOps and the evolution of IT infrastructure monitoring - IT Brief Australia - July 5th, 2020
- 360Quadrants Releases Top 10 Cloud Computing Software In 2020 edited by leading research firm - WhaTech Technology and Markets News - July 5th, 2020
- How to Watch Netflix With NordVPN: Does it Work in 2020 ? - Cloudwards - July 5th, 2020
- Migrating SaaS to Cloud: How to do it without disruption - Techiexpert.com - TechiExpert.com - July 4th, 2020
- SaaS Company OWNZONES is Keeping the Post-Production Industry in Motion During the Coronavirus Pandemic - Programming Insider - July 4th, 2020
- Huawei Rotating Chairman Highlights Practices and Prospects of 5G - MENAFN.COM - July 4th, 2020
- Cloud Server Market Research Report, Segment by Industry Player, Type, Application, Global Marketing Channel, and Region 2020-2025 - Cole of Duty - July 4th, 2020
- 5 Ways the Cloud Can Benefit Your Business During the Pandemic - Entrepreneur - July 4th, 2020
- Gulf economies to shrink by 7.6% this year, says IMF - Arab News - July 4th, 2020
- Hyperion Forecast Headwinds in 2020 Won't Stifle Cloud HPC Adoption or Arm's Rise - HPCwire - July 4th, 2020
- Intel Forced To Stop Supplying Chips To Chinese Inspur Cloud Server Manufacturer - Research Snipers - July 4th, 2020
- Cloud Infrastructure Market Size and Growth Analysis and Forecast To 2025 - Daily Research Chronicles - July 4th, 2020
- AIOps and the evolution of IT infrastructure monitoring - IT Brief New Zealand - July 4th, 2020
- The Global Virtualization in Industrial Automation Market is expected to grow by $ 216.39 mn during 2020-2024 progressing at a CAGR of 4% during the... - July 4th, 2020
- Boeing 737 MAX certification flight tests to begin - Arab News - July 4th, 2020
- Edge Computing Is A Red-Hot Tech Trend, Here's How To Invest in It - TheStreet - June 27th, 2020
- Docker servers infected with DDoS malware in extremely rare attacks - ZDNet - June 27th, 2020
- Nebulon emerges with software-defined storage, but from the cloud - ComputerWeekly.com - June 27th, 2020
- Ampere's New 128-Core Altra CPU Targets Intel, AMD In The Cloud - CRN: Technology news for channel partners and solution providers - June 27th, 2020
- Cloud IT Infrastructure Spending Continued to Grow in Q1 2020 While Spending on Non-Cloud Environments Saw Double-Digit Declines, According to IDC -... - June 27th, 2020
- Empowering Edge Cloud in the 5G & IoT Hyper-Connected Era - insideHPC - June 27th, 2020
- Ampere's 128-Core Processor Challenges Intel and AMD in a Cloud-Based Processor Showdown - News - All About Circuits - June 27th, 2020
- This Ransomware Campaign is Being Orchestrated from the Cloud - Computer Business Review - June 27th, 2020
- Ad industry spots money in the cloud | Industry Trends | IBC - IBC365 - June 27th, 2020
- Want to work at Microsoft? Dice.com looks at top jobs, skills the tech giant is looking for - OnMSFT - June 27th, 2020
- The Winston-Salem Symphony Announces Newly Elected Directors - Yes! Weekly - June 27th, 2020
- The Best VPNs for Businesses and Teams - PCMag.com - June 27th, 2020
- NexTech AR Solutions tie-up with Fastly cloud platform leads to video security breakthrough - Proactive Investors USA & Canada - June 27th, 2020
- Moving to the cloud: Migrating Blazegraph to Amazon Neptune - idk.dev - June 27th, 2020
- Cloud-Based Automation Is a Reality; Now What? - Radio World - Radio World - June 27th, 2020
- How Azure, AWS, Google handle data destruction in the cloud - TechTarget - June 27th, 2020
- AMD EPYC Processor Adoption Expands with New Supercomputing and High-Performance Cloud Computing System Wins - GlobeNewswire - June 27th, 2020
- What it Means To Be Software-Defined in Retail and How We Got Here - Retail Info Systems News - June 27th, 2020
- Cloud Storage Market 2020: Challenges, Growth, Types, Applications, Revenue, Insights, Growth Analysis, Competitive Landscape, Forecast- 2025 - Cole... - June 27th, 2020
- Why This Cloud ETF Can Keep up its Torrid Pace - ETF Trends - June 20th, 2020
- FaceApp Privacy: What You Need To Know About The Viral Russian App - Forbes - June 20th, 2020
- Cloud flash storage: SSD options from AWS, Azure and GCP - ComputerWeekly.com - June 20th, 2020
- Could the European Cloud Deliver Data Protection by Default? - CPO Magazine - June 20th, 2020
- Private Cloud Server Market How the Business Will Grow in 2026? - Cole of Duty - June 20th, 2020
- How to Profit from the Growing Divide in Tech Stocks. - Barron's - June 20th, 2020
- Cloud Computing in Education Sector Market Size, Growth, Analysis, Outlook by 2019 Trends, Opportunities and Forecast to 2025 - Medic Insider - June 20th, 2020
- Lenovo announces ThinkSystem SR860 V2 and SR850 V2 servers - Gadgets Now - June 20th, 2020
- Here are 8 career options that are least impacted by recessions - Business Standard - June 20th, 2020
- Everything your business needs to know about VPS - Tom's Guide - June 20th, 2020
- Global Cloud Based Collaboration Software Market : Industry Analysis and Forecast (2020-2027) - WorldsTrend - June 20th, 2020
- AWS claims to have blocked the largest DDoS attack in history - Cloud Pro - June 20th, 2020
- Cloud Office Migration Tool Market to Grow at Robust 17.8% CAGR to 2027 AvePoint, Binarytree, BitTitan, CodeTwo sp. z oo sp. k - Personal Injury... - June 20th, 2020
- Healthcare Cloud Computing Market to Witness Robust Expansion by 2025 - 3rd Watch News - June 20th, 2020
- Renowned French Cloud, storage, computing and AI solution providers Actualis, has today formally rebranded to become part of the Boston Group of... - June 20th, 2020
- Startups, here's what you should know about telcos - CTech - June 18th, 2020
- US buildings firm saves big on HDDs with Nasuni cloud NAS - ComputerWeekly.com - June 18th, 2020
- Uptycs Announces $30 Million in Funding to Deliver Next-Generation Security Analytics - AiThority - June 18th, 2020
- Keeping Your Cloud-based Office Safe And Secure - ISBuzz News - June 18th, 2020
- Pensando positioned as high-performance alternative to cloud provider 'lock-in' - SiliconANGLE - June 18th, 2020
- How M&E organisations can enable remote work with cloud-based video and animation production studios - ITProPortal - June 18th, 2020
- Ampere donates Arm64 server hardware to Debian to fortify the Arm ecosystem - Stockhouse - June 18th, 2020
- Kia Motors partners with Google Cloud to develop AI-based owner's manual app - Automotive World - June 18th, 2020
- Function-as-a-Service Market Recent Trends, Development, Growth and Forecast 2017-2025 - 3rd Watch News - June 18th, 2020
- How Lenovo, Cellnex, Nearby Computing Are Delivering on the Edge - eWeek - June 18th, 2020
- Dell Technologies Shifts AI Adoption into the Fast Lane with Simplified Advanced Computing - CXOToday.com - June 18th, 2020
- AWS mitigated a record-breaking 2.3 Tbps DDoS attack in February - SiliconANGLE - June 18th, 2020
- Deluxe Revolutionizes Distribution of Content to Theaters with Cloud-Based IP Delivery Solution through Deluxe One Platform - HostReview.com - June 18th, 2020
- Report: France and Germany team up on a cloud-computing ecosystem to take on Amazon, Microsoft and Google - FierceTelecom - June 6th, 2020
- Dive into the history of server hardware - TechTarget - June 6th, 2020
- COVID-19 Impact ON Private Cloud Server Market : What is the projected sales growth for 2026? - Cole of Duty - June 6th, 2020
- NextCloud gets bigger and better with Nextcloud Hub 19 - ZDNet - June 6th, 2020
- Micron Has the Potential to Rise 50% From Here - TheStreet - June 6th, 2020
- Kofax Partners with Microsoft to Enhance Cloud-Based Universal Print Solution with ControlSuite - Industry Analysts Inc - June 6th, 2020
- Dell and Intel answer the call for AI by building specific solutions for real problems - SiliconANGLE - June 6th, 2020
- Data Protection As A Service Market Projection of Each Major Segment over the Forecast Period - Cole of Duty - June 6th, 2020
- PAM as a Service: Its All a Matter of Trust - Security Boulevard - June 2nd, 2020
- How To Best Adapt Your Business When The World Is Moving Online - Forbes - June 2nd, 2020