[jamesaepp]

The problem for the mob rests on the fact that they advertise the system as being e2e, when it is not - at least with the definition I use for e2e. https://zoom.us/security

My rule-of-thumb (NOT A LITMUS TEST) for e2e is as follows: If you have exchanged the public or pre-shared key(s) with the partner(s) out-of-band OR you had your public key signed by a NEUTRAL (key word) third party who is mutually trusted, then yes - you are likely using e2e.

If Zoom generated the keypairs, signed them, and transported the public keys themselves without an external independent library - I don't consider that e2e because they are the middle man every step along the way.

Should we treat other companies the same way if they claim they use e2e but don't? Yes, absolutely. This situation is bittersweet, it's (a bit) unfair to Zoom, but hopefully this will spark healthy discussions around what e2e is and more importantly, what it is not.