[dijksterhuis]

Sure. Study a PhD in cryptanalysis and reverse engineering.

If you want to look at something now, the white paper for the E2E protocol design is public and open right now: https://github.com/zoom/zoom-e2e-whitepaper

On a more serious note, until there is a protocol and implementation available then we can't say anything for sure. Us Security folks aren't magicians.

[manquer]

That was uncalled for . Yes it is hard or impossible to do in zoom .

If these tools use open standards and well documented protocols this will not be a problem.

I can verify without a phd in cryptoanalyis and reverse engineering my browser is running a secure connection to a website and certificate is signed by the source(for sites enabled with FS and HSTS ).

[dijksterhuis]

Don't get me started on browser certificates. That's a whole week of my life I'll never get back.

The short versiom of it is, your browser trusts CAs to say whether a certificate is valid. But CAs often trust other CAs who may not actually be that trustworthy. Those CAs then trust other CAs who definitely are not as trustworthy... Etc.

So that certificate/padlock picture in your browser may not be as trustworthy as you think. It's an active problem.

[SXX]

Mandatory Ceryificate Transparency is solve problem of trust to CAs quite well though.

[dijksterhuis]

In terms of an actually relevant reply that's not bemoaning browser certs...

Yes I was a bit harsh. But I was trying to demonstrate a point - no one knows for sure until we can look at this stuff in detail. Until the researchers get to pull it apart then no one can verify anything. The little green tick on a zoom call is practically worthless until some external work is done.

The protocol is documented and open. I linked to it in my comment.

[manquer]

The open proctols for RTC today is webTRC. Zoom does not use webRTC. If the proctols Are open like http then I can build my own client and do not have to use theirs (just like you can your own hacker news app) . Zoom will not use webRTC for this precise reason. If they and all others did I can choose my client and I can choose a client who I trust and will give my green tick open source or not .

Google supported jabber in chat for a long time , slack supported IRC (both dropped the support ) but when they did you could any irc client in slack or use google chat using jabber with any client

If an open protocols for video are used like email (although not good example for encryption). It does not matter who your service provider is you can verify they are secure , or move to another one .

Today I have more than 10 video conferencing apps on my devices (zoom, Hangouts, meet, Webex , teams, GoToMeeting , chime , Skype, SfB, FaceTime , signal, telegram , ring central and Uber conference... ) because a customer , partner friend or family uses one of those . I have only one email and browser client though, it does not have to open source at all, ppl happily pay for closed source gmail or o365 without worrying will my mails deliver to you while still using official client or client of their choice

[dijksterhuis]

Sorry, to clarify, when i say protocol I specifically mean the E2E encryption protocol.

Also, have you thought about asking your clients/whatever to use one app to communicate with you? Even if you get half of them onboard, it sounds like it would save you a lot of mental bother.

[manquer]

I wish , every company has their own app to use , they will invite you to their conference by default, asking 10 people on the call to change for 1-2 is not feasible.

Many of them cannot install any new native application on their desktop / phone without IT approvals or their vpn does not allow traffic to consumer apps like Hangouts . They also need to record for compliance , pre-Covid some apps like Webex are connected to their conference room bridges using dedicated lines and hardware etc

Family / friends do not use use biz tools , it not easier to convince Apple users who like FaceTime, messenger is popular in few countries , wechat in China , WhatsApp in other places .

It is easier install another app rather than trying to get your grandma to switch from one thing someone installed on her phone and she learnt to use.

[kwanbix]

Well, even if all of your software was open source, do you have the time to validate all of it, from the app to the OS? what about the CPU?

[manquer]

This is well known issue since Ken Thompson’s trusting trust paper and not what am I getting at it

It is degrees of trust . Trust is not absolute , neither is security . Depending on your threat models you have to secure yourself. More transparency improves security does not solve all the problems just makes it costlier for an attacker . If cost outweighs the benefit they will not attempt to do it.

Https does not magically make your communication 100% secure ,however the number of people who can issue a certificate from a comprised root CA or control one is considerably less than the number of people who can monitor your plain text traffic .

[TheSpiceIsLife]

I like your tone, and it lead me to think:

Any sufficiently advanced cryptography is indistinguishable from magic.

Which isn’t entirely untrue from a layperson’s perspective.

Edit: fixed a word. I’d accidentally written “is” rather than “isn’t”.