Hacker News new | ask | show | jobs
by gregmac 2264 days ago
> How could they guarantee end-to-end if not all gadgets support encryption?!

They can't. So they shouldn't.

> In light of this post it looks like for the majority of users it is end-to-end encrypted.

It absolutely is not. What they can say is for the vast majority of users, the streams are encrypted between all clients, and due to policy, Zoom won't view them as they pass through.

The problem is Zoom could intercept and decrypt streams, if they wanted to, which is why you can't call this "end-to-end encryption" [1].

[1] https://en.wikipedia.org/wiki/End-to-end_encryption
2 comments
close04 2264 days ago
> The problem is Zoom could intercept and decrypt streams, if they wanted to

And we have the spirit of encryption to guarantee they, or a third party who infiltrated/hacked them, won't.

>> and in that spirit, we used the term end-to-end encryption

link
lukevp 2264 days ago
The spirit of encryption? What does that mean? End to end encrypted means from one client through all networks and servers to the other client, no one can decrypt the traffic. Anything besides that is not end to end.
link
close04 2264 days ago
It means nothing but this is what Zoom tells us we have. Encryption given "in the spirit" of their intentions.

> Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption.

link
lukevp 2264 days ago
Oh, I missed your sarcasm originally. I agree that it’s meaningless.
link
cbsmith 2264 days ago
Their ability to do so is no different than anyone else's. They are literally running a client that is set up in their cloud.

This is the intrinsic contradiction of meeting software. Once you're in the meeting, the whole point is that you have access to the content. If you don't want zoom to have access to your content, don't invite them to your meeting.

link
cameldrv 2264 days ago
It's possible to do E2E encryption even with a web client. The endpoints exchange keys, possibly with certificates that validate who is on the other end, and then the web client encrypts the stream and sends it either directly to the other endpoint or to a Zoom server, which relays it but doesn't possess the decryption key. Their statements are pretty vague, but my impression is that Zoom servers decrypt the stream and then reencrypt it. That is not end to end encryption, in fact, the specific difference between normal TLS type encryption and end to end is that the server has no ability to decrypt the traffic.
link
cbsmith 2263 days ago
Yes... and so what you're saying is it's possible for any web client, even one that Zoom runs, could enter into the conversation.

Wait, that's exactly how the product works...

link