maxkabakov - Fotolia
Zoom faces challenges in implementing end-to-end encryption
Zoom has released a draft plan to enable end-to-end encryption in four phases. The company has not said when it will launch.
Zoom has outlined a four-phase plan for implementing end-to-end encryption. But the company will face hurdles as it attempts to add the security protocol to its video conferencing service.
Each phase of the plan will improve security but leave vulnerabilities that Zoom plans to address in the future. However, the company's draft white paper provides less detail about the later stages of the project.
"This is complex stuff," said Alan Pelz-Sharpe, founder of research and advisory firm Deep Analysis. "You can't just plug and play end-to-end encryption."
Zoom has not said when end-to-end encryption will launch or who will get access to it. At least initially, the service will likely be available only to paid customers.
The goal of the effort is to give users control of the keys used to decrypt their communications. That would prevent Zoom employees from snooping on conversations or from letting law enforcement agencies do the same.
Zoom previously advertised its service as end-to-end encrypted. But in April, the company acknowledged that it wasn't using the commonly understood definition of that term. The claim has provided fodder for numerous class-action lawsuits.
The first phase of the plan will change Zoom's security protocol so that users' clients -- not Zoom's servers -- generate encryption keys. The second phase will more securely tie those keys to individual users through partnerships with single sign-on vendors and identity providers.
The third step will give customers an audit trail to verify that neither Zoom nor anyone else is circumventing the system. And the fourth will introduce mechanisms for detecting hacks in real time.
One weakness is the scheme's reliance on single sign-on vendors and identity providers to match users' encryption keys to users. That will leave customers that don't use those services less secure, potentially increasing the risk of meddler-in-the-middle attacks.
Zoom also won't be able to apply the protocol to all endpoints. Excluded clients include Zoom's web app and room systems that use SIP or H.323. Zoom also can't encrypt from end-to-end audio connections made through the public telephone network.
Turning on end-to-end encryption will disable certain features. Users won't be able to record meetings or, at least initially, join before the host. These limitations are typical of end-to-end encryption schemes for video communications.
Engineers from the messaging and file-sharing service Keybase are leading Zoom's encryption effort. Zoom acquired Keybase in early May as part of its effort to improve security and privacy.
Zoom released a draft of its encryption plan on GitHub on May 22. The company is accepting public comments on the proposal through June 5. In the meantime, Zoom is urging customers to update their apps by May 30 to get access to a more secure encryption protocol called GCM.
Zoom has been working to repair its reputation after a series of news reports in March revealed numerous security and privacy flaws in its product. An influx of users following the global outbreak of coronavirus put a spotlight on the company.
Users and security experts criticized Zoom for prioritizing ease of use over security. They also faulted the company for not being transparent enough about its encryption and data-sharing practices.
"The criticism was justified and warranted and needed because otherwise these things don't get fixed," said Tatu Ylonen, a founder and board member of SSH Communications Security. "I would applaud them for actually taking action fairly quickly."
More recently, Zoom celebrated some wins. The company settled with the New York attorney general's office, warding off a further investigation into its security practices. Zoom also got the New York City public school district to undo a ban on the product that had drawn national headlines in April.
But the company will need to do more to win back the trust of some security-minded buyers.
"I think they've responded very quickly," Pelz-Sharpe said. "But if I were advising a compliant company on a product to buy, it probably wouldn't be on my list."