[geofft]

Yeah, I'm honestly a bit surprised because I personally would agree with Zoom that what they're doing is "end-to-end encryption." (Maybe it'd be nice if they had a "mandatory e2e" checkbox that you had to uncheck to get a dial-in phone number, but, obviously when I call a number by phone I know there's no e2e going on.)

I think the pile-on is mostly because finding security problems with Zoom is the cool new thing to do. There's been no shortage of genuine security problems with Zoom (and an apparent lack of security culture) but I think we've now gotten to e.g. "you can use Zoom to trigger a Windows design flaw that's been around for years" or "when you set up a meeting anyone can join, anyone can join the meeting" or whatever, and the media is happy to pick that up.

[tptacek]

There's a backlash in vulnerability research circles, because we've all had to deal with systems that are much, much worse (Webex, for example). I'm not a fan of Zoom or anything, but the concerns they're generating about security are unbalanced and not especially reasonable.

But, again: we've had long threads on HN "debating" the notion that Telegram is E2E-encrypted by dint of TLS to Telegram's servers, as if that was a legitimate proposition. Because Telegram has a cheering section, and Zoom, it seems, does not.

[sweeneyrod]

If what Zoom is doing in the first diagram is end-to-end encryption, what would non-e2e encryption for that set up look like?

[geofft]

Data decrypted when it reaches Zoom's servers, e.g., sending video directly over TLS to a webserver that then sends it to someone else over TLS.

This is what Slack, Skype, Google Hangouts, etc. do.