undefined | Better HN

0 pointsmagicsmoke6y ago0 comments

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."

0 comments

kryogen1c6y ago

this is explicitly not what I asked, and not what the person I was replying to said. besides, zoom already owned this mistake.

https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...

magicsmokeOP6y ago

Zoom said that their meeting data is no longer routed through China's servers. That's not what citizenlab's complaint was, and also not what the original poster stated.

>There is the thing that all Zoom keys are kept and maintained in China

Their complaint was about zoom's encryption key generation and distribution practices. The post you linked has nothing about the key distribution scheme zoom needs to implement so they actually have end-to-end encryption.

https://blog.cryptographyengineering.com/2020/04/03/does-zoo...

Without proper encryption, it doesn't matter if all participants in a meeting only connect to zoom servers since you don't know what zoom could be doing inside their network. Are they actually routing data without any storage, or any they storing the data and sending a stream out the back door to interested parties? But with true end-to-end encryption, it doesn't matter what zoom does with the meeting data since only the participants can decrypt it.

Not to mention that for a sufficiently interested actor, they don't need to access zoom's network to intercept a copy of a meeting as it makes its way through the internet to a zoom server. End-to-end encryption also ensures they only get junk.

kryogen1c6y ago

I actually have no idea what argument youre making.

OP: all Zoom keys are kept and maintained in China

me: got a source for that claim?

you: quote citizen lab, sometimes zoom keys are sent to china

me: i didn't ask if keys were sometimes sent to china and that's not what OP said

you: not what the original poster stated.

this is where you lost me

> But with true end-to-end encryption, it doesn't matter

i never said it mattered. i don't care if zoom is e2e encrypted or not, which is why i didn't bring it up.

> Not to mention that for a sufficiently interested actor, they don't need to access zoom's network

people get away with this internet boogeyman argument because its technically true, but what percentage of internet traffic inside the continental US is actually being monitored and exfiltrated to APTs? compromises happen internally. i cant remember any stories of a data breach occurring with data in transit, as opposed to data at rest.

secabeen6y ago

> During a test of a Zoom meeting with two users, one in the United States and one in Canada, we found that the AES-128 key for conference encryption and decryption was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, 52.81.151.250. A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers.

We need more details about this, ideally from Zoom, as this is not really a lot of detail, and includes a lot of "apparently", "we suspect", etc.

j / k navigate · click thread line to collapse

0 comments

kryogen1c6y ago

this is explicitly not what I asked, and not what the person I was replying to said. besides, zoom already owned this mistake.

https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...

magicsmokeOP6y ago

Zoom said that their meeting data is no longer routed through China's servers. That's not what citizenlab's complaint was, and also not what the original poster stated.

>There is the thing that all Zoom keys are kept and maintained in China

https://blog.cryptographyengineering.com/2020/04/03/does-zoo...

kryogen1c6y ago

I actually have no idea what argument youre making.

OP: all Zoom keys are kept and maintained in China

me: got a source for that claim?

you: quote citizen lab, sometimes zoom keys are sent to china

me: i didn't ask if keys were sometimes sent to china and that's not what OP said

you: not what the original poster stated.

this is where you lost me

> But with true end-to-end encryption, it doesn't matter

i never said it mattered. i don't care if zoom is e2e encrypted or not, which is why i didn't bring it up.

> Not to mention that for a sufficiently interested actor, they don't need to access zoom's network

secabeen6y ago

We need more details about this, ideally from Zoom, as this is not really a lot of detail, and includes a lot of "apparently", "we suspect", etc.

j / k navigate · click thread line to collapse