[geofft]

Wait, I thought Telegram was worse than that - Zoom does (what appears to be) end-to-end encryption if you have four native Zoom clients in a meeting. Telegram doesn't do end-to-end if you have four Telegram clients in a group chat, right?

(I might be missing something about either Zoom or Telegram)

[tptacek]

I think you're right! I'm more interested in the double standard (and the dynamics of a pile-on) than the details.

[geofft]

Yeah, I'm honestly a bit surprised because I personally would agree with Zoom that what they're doing is "end-to-end encryption." (Maybe it'd be nice if they had a "mandatory e2e" checkbox that you had to uncheck to get a dial-in phone number, but, obviously when I call a number by phone I know there's no e2e going on.)

I think the pile-on is mostly because finding security problems with Zoom is the cool new thing to do. There's been no shortage of genuine security problems with Zoom (and an apparent lack of security culture) but I think we've now gotten to e.g. "you can use Zoom to trigger a Windows design flaw that's been around for years" or "when you set up a meeting anyone can join, anyone can join the meeting" or whatever, and the media is happy to pick that up.

[tptacek]

There's a backlash in vulnerability research circles, because we've all had to deal with systems that are much, much worse (Webex, for example). I'm not a fan of Zoom or anything, but the concerns they're generating about security are unbalanced and not especially reasonable.

But, again: we've had long threads on HN "debating" the notion that Telegram is E2E-encrypted by dint of TLS to Telegram's servers, as if that was a legitimate proposition. Because Telegram has a cheering section, and Zoom, it seems, does not.

[sweeneyrod]

If what Zoom is doing in the first diagram is end-to-end encryption, what would non-e2e encryption for that set up look like?

[geofft]

Data decrypted when it reaches Zoom's servers, e.g., sending video directly over TLS to a webserver that then sends it to someone else over TLS.

This is what Slack, Skype, Google Hangouts, etc. do.

[duskwuff]

Telegram only uses end-to-end encryption for "secret chats" and voice calls. Group chats and standard person-to-person chats are not end-to-end encrypted, and I don't believe Telegram has made any claims to the contrary.

(Encrypted messaging is a hard problem, especially when you have to deal with users with multiple devices which are offline intermittently, or users joining an established group chat. Telegram has taken the sensible approach of not trying to solve this.)

[tptacek]

Encrypted messaging is a solved problem, and even WhatsApp manages end-to-end group chats. Telegram does not, but claims in its FAQ that "All Telegram messages are always securely encrypted" (it is referring explicitly to group messaging). Telegram is far more misleading than Zoom is, but again, Zoom lacks the cheering section. Maybe if they released a ZoomCoin.

[duskwuff]

Fair point on the FAQ. At least they didn't explicitly misuse the term "end-to-end"?

That being said, I'm not certain encryption is an entirely solved problem for the case of multiple devices, including web clients, or for large public groups. (WhatsApp only supports a single client -- their web interface attaches to the phone -- and their group chats are limited to 256 members.) I'm not sure it can be solved under the current model Telegram uses for authorizing devices, as the server can authorize a device to access an account, and any non-secret chats it was involved in, without the involvement of any previously signed-in devices.

[rjmunro]

Zoom does not do end-to-end encryption. End to end encryption means that only the end user can decrypt the message. Zoom central can decrypt the message, because they hold the keys. They mostly don't bother, but that's just an optimisation.

At any point, someone could go into Zoom's systems, get the keys to your chat, and monitor you, and you would have no way of knowing.

[luckylion]

> Zoom does (what appears to be) end-to-end encryption if you have four native Zoom clients in a meeting.

I don't understand their blog post that way. From the post: we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients. That sounds like "we could decrypt it, but we promise not to". That's not e2e.

They continue with When users join Zoom meetings using devices that do not inherently use Zoom’s communication protocol, such as a phone (connected via traditional telephone line, rather than the app) or SIP/H.323 room-based systems, Zoom’s encryption cannot be applied directly by that phone or device so if those users can join the meeting after it has been established between Zoom-clients, it's not e2e.

[geofft]

> if those users can join the meeting after it has been established between Zoom-clients, it's not e2e.

I don't think that follows.

First, it's absolutely possible to design an E2E system where users can join the meeting after it started: https://signal.org/blog/private-groups/

Second, you can have your phone gateways be stateless and unprivileged: when a user calls up the phone gateway, it generates a new keypair. The user enters their PIN and the phone gateway derives a key from the PIN using your favorite password hashing algorithm, HMACs their public key with the PIN, and sends it to the existing participants. The other participants have the same PIN, so they can decide to let this public key join the call without allowing random callers to join. (I'm not sure if Zoom does this, but it's straightforward enough and it makes the phone gateways much less juicy of an attack target, especially because you can now reboot the gateways from read-only media and you don't need to provision them a secret, so I hope they do.)

Now we're left with the argument about whether it really counts as "end-to-end" if the plain-old-telephone-system part of the connection isn't encrypted, but also it can't be, so I'm not sure anyone reasonably expected it to be encrypted. Anyone who really wants "end-to-end" encryption can just make sure nobody joins their call by phone. (In the end, end-to-end encryption is a tool to make sure the right people join your meeting - i.e., anyone who cares about end-to-end encryption already cares about who the ends are.)