[itcrowd]

The story here is that Zoom uses key distribution servers located in China (in addition to several servers in the USA) and that Chinese law might be compelling Zoom to disclose the encryption keys. I think it is a valid concern, but for me it also raises the question of whether this may also be required in the US.

In addition to letting the Chinese (and possibly US) government in on the encryption keys, the encryption scheme is also badly broken (ECB mode of AES). Prof. Matthew Green has written many articles about AES and encryption more generally and I recommend his blog if you are interested (even as a lay person).

https://blog.cryptographyengineering.com/2011/12/01/how-not-...

[kerng]

They are using EBC mode? I don't know of a single crypto library that would pick that as a default, so someone actually made this decision (like actively lowered encryption capability). I thought of some of the previous issues of not being too bad, but this leaves me wondering...

[ComputerGuru]

Who the hell still uses ECB?

[tych0]

Wikipedia has a great visualization of this for those who are curious: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation...

[floathub]

That is truly amazing. I know precious little about encryption, but I assumed everyone knows that ECB is bad and that CBC is the only sensible way to do AES.

[edited for typo]

[lawnchair_larry]

Your first point is correct, second is definitely not.

[floathub]

See how precious little I know about encryption? And yet even I know that ECB is a terrible choice!

(In minor defense of self, I should have said CBC or "later").

[reader_1000]

Hint: copy-pasters*

* from internet or from old codebases of one’s company

[drevil-v2]

Don’t forget the straight up lying about using 256bit keys when they are actually using 128bit keys