[wheelerwj]

wow!! zoom you were better off not having written that blog. you guys are some shady assholes.

Everything from the text to the graphics are intended to mislead and obscure. I don’t think i’ve seen a company act in such bad faith since theranos was a thing.

[Thorrez]

In my opinion they seem better off from this blog post. For example yesterday I read this comment[1] and it seemed to say Zoom always decrypts the content on the servers, in which case it's very bad to say it's "end-to-end encrypted". But this blog post explains that if you don't have any external connector attached, it in fact is end-to-end encrypted, no false advertising. When you have an external connector attached it seems to me very difficult if not impossible to make it end-to-end encrypted, so it's reasonable that it's not. The problem is that they continued to say it was end-to-end encrypted even in that case when it's not and not possible to do so.

[1] https://news.ycombinator.com/item?id=22754699

[wheelerwj]

> if you don't have any external connector attached, it in fact is end-to-end encrypted,

It doesn't say that all.

[Thorrez]

> we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

This seems to say it, but I guess as luckylion points out, e2e doesn't mean not decrypted in the middle, it means no one besides the ends has the key. So you're right, the design they say isn't really e2e encrypted.

[Spivak]

Devil's advocate: if I take any e2e chat system and escrow the keys from the clients to my server is it still e2e?

[Thorrez]

I'm not sure what escrow means in this context. But if the server has the keys, I would say no, it's not e2e.

This aligns with the definition on Wikipedia too

> it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.

[luckylion]

> But this blog post explains that if you don't have any external connector attached, it in fact is end-to-end encrypted, no false advertising.

No, it says that they don't decrypt it until it reaches the other client, not that they can't decrypt it.

[Thorrez]

I now agree with your point that it's not really e2e encrypted, because they never claim they don't have the key.

But I don't think "can't decrypt it" is necessarily a requirement for e2e encryption. Maybe can't decrypt it with a passive attack. With an active attack it's possible to decrypt even e2e encrypted stuff assuming there's no out of band key exchange. Most Zoom users won't bother with an out of band key exchange.