not that we save anything from zoom that I need to be concerned about key storage for, but concerning nonetheless.
"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."
https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...
>There is the thing that all Zoom keys are kept and maintained in China
Their complaint was about zoom's encryption key generation and distribution practices. The post you linked has nothing about the key distribution scheme zoom needs to implement so they actually have end-to-end encryption.
https://blog.cryptographyengineering.com/2020/04/03/does-zoo...
Without proper encryption, it doesn't matter if all participants in a meeting only connect to zoom servers since you don't know what zoom could be doing inside their network. Are they actually routing data without any storage, or any they storing the data and sending a stream out the back door to interested parties? But with true end-to-end encryption, it doesn't matter what zoom does with the meeting data since only the participants can decrypt it.
Not to mention that for a sufficiently interested actor, they don't need to access zoom's network to intercept a copy of a meeting as it makes its way through the internet to a zoom server. End-to-end encryption also ensures they only get junk.
We need more details about this, ideally from Zoom, as this is not really a lot of detail, and includes a lot of "apparently", "we suspect", etc.
A number of our hospital customers were diving in head first with Zoom, but are now backing off. I am curious to hear if there is any legal fallout from any of this.
[1] https://theintercept.com/2020/04/03/zooms-encryption-is-not-...
