As the coronavirus has forced quarantines, there’s been a surge in demand for virtual meeting and video chat apps. Though many such apps have seen an increase in use, Zoom has been one of the top beneficiaries, popular both with individuals and organizations. But Zoom has also been criticized for its weak security and privacy measures, leading to problems such as Zoom bombing. Further, Zoom currently lacks the full type of end-to-end encryption that more traditional business services employ. A document posted by Zoom on Friday explains how the company hopes to more fully protect sensitive meeting data and communications.
In its Friday blog post, Zoom announced the draft publication for its end-to-end-encrypted offering. Contending that security and privacy are the two “pillars” of its new plan, Zoom has published its document on GitHub for peer review, hoping to kick off discussions and get feedback from cryptographic experts, nonprofits, advocacy groups, and customers.
SEE: Zoom 101: A guidebook for beginners and business pros (TechRepublic Premium)
Zoom meetings currently offer encryption but with certain limitations. Encryption is used to protect the identity of users, call data between Zoom clients and Zoom’s infrastructure, and meeting contents. When a Zoom client is authorized to join a meeting, that client is given a 256-bit security key from Zoom’s server. But the Zoom server retains the security key provided to meeting participants, thereby lacking true end-to-end key management and encryption.
The lack of full end-to-end encryption means that an attacker who can monitor Zoom’s server infrastructure and gain access to the memory of the relevant Zoom servers could defeat the encryption for a specific meeting. As such, that person could then view the shared meeting key, derive session keys, and decrypt all meeting data.
To fix some of its security holes, Zoom outlined the goals of its proposal as follows: 1) Only authorized meeting participants should have access to their meeting’s data; 2) Anyone excluded from a meeting should not have the ability to corrupt the content of that meeting; 3) If a meeting participant engages in abusive behavior, there should be an effective way to report that person to prevent further abuse.
To advance its goals, Zoom has organized its proposal into four phases.
Phase 1. In the first phase, every Zoom application will generate and manage its own public/private security key pairs with those keys known only to the client. The clients will be able to generate and exchange its session keys without needing to trust the server. During this initial phase, this specific security key improvement will support only native Zoom clients and Zoom Rooms, and only scheduled meetings.
Phase 2. In the second phase, Zoom plans to unveil two features for users to track each other’s identities without having to trust Zoom’s servers. One feature is an Identity Provider Initiated Single Sign-On (SSO IdP) that can cryptographically vouch for the identity of each user.
Phase 3. In the third phase, Zoom will launch a feature that forces its servers to sign and immutably store each user’s security keys, ensuring Zoom provides a consistent reply to all clients about the keys. This will be created through a “transparency tree,” a feature similar to those used in Certificate Transparency and Keybase.
Phase 4. In the final phase, devices will be even more strongly authenticated. A meeting participant will have to sign new devices using existing devices, use an SSO IdP to reinforce device additions, or delegate authentication to an IT manager. Until one of these conditions is met, the participant’s devices will not be trusted.
With these new security initiatives, Zoom also proposed certain changes to its client application.
The interface for setting up a meeting will feature a new checkbox called End-to-End Security. If this box is checked, the “Enable Join Before Host” checkbox becomes grayed out and deselected, the cloud recording feature becomes disabled, and all clients must run the official Zoom client software; those using the Zoom website, legacy Zoom-enabled devices, or a dial-in connection will be locked out of the meeting.
After the meeting starts, all participants will see a meeting security code they can use to verify that no one’s connection to the meeting was intercepted. The host can read this code out loud, and all participants can check that their clients display the same code.
“We have proposed a roadmap for bringing end-to-end encryption technology to Zoom Meetings,” Zoom said in its document. “At a high level, the approach is simple: use public key cryptography to distribute a session key to a meeting’s participants and provide increasingly stronger bindings between public keys and user identities. However, the devil is in the details, as user identity across multiple devices is a challenging problem, and has user experience implications. We proposed a phased deployment of end-to-end security, with each successive stage giving stronger protections.”
After reviewing the feedback from customers and other interested parties, Zoom will update and refine its document and finally announce its plans for deploying the new end-to-end encryption and other security enhancements.