Zoom claims to offer end-to-end encryption -- even though that's not strictly true
Security is a serious concern for anyone using the internet, but it most certainly is for businesses. In seeking a video conferencing tool to see them through the home-working coronavirus has forced many people into, Zoom has proved to be an incredibly popular choice, and its proclamation of offering end-to-end encryption very probably swayed a few decisions.
An investigation carried out by the Intercept found that, despite Zoom's claims, the service does not really support end-to-end encryption for video and audio content. In reality, all it offers is TLS, but Zoom has chosen to refer to this as being end-to-end encryption.
- Zoom security vulnerability can be used to steal Windows login credentials
- Zoom apologizes for Facebook privacy fiasco and updates app to stop data sharing
- Why is Zoom secretly sharing data with Facebook?
As the Intercept points out, Zoom makes claims about the use of end-to-end encryption on its website, in a security white paper and within its apps. But it seems that Zoom is using its own definition of what is meant by end-to-end encryption, and it differs from what it is usually understood to mean. The company says: "When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point".
It adds: "content is not decrypted as it transfers across the Zoom cloud".
Asked to comment, a Zoom spokesperson told the Intercept:
Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.
Matthew Green, a cryptographer and computer science professor at Johns Hopkins University says that Zoom is being "a little bit fuzzy about what’s end-to-end encrypted", adding, "I think they're doing this in a slightly dishonest way. It would be nice if they just came clean".
While there is nothing to suggest that this has happened, the lack of proper end-to-end encryption means that it would be possible for Zoom to intercept audio and video meetings.