Yes. The whole point of end-to-end encryption is that your data is safe even when it goes through untrusted servers. (I know they might have a backdoor, or might screw it up somehow. But in principle, if they do it securely, then this holds.)
Yes, if the keys are held in servers that they have access to then they would be able to decrypt the traffic and see what is happening.
The whole point of e2e encryption is that only the 2 parties have the keys, Zoom are abusing this term and making people believe they are doing e2e
If they can enter the meeting, either they have to get confirmation from the host who would send the keys to the person entering the meeting or they already have the keys and can enter the meeting and decrypt the stream.
They apparently 'define it differently' to every other company, organization, and infosec professional. This sort of thing used to be called lying, but it's essentially an 'alternative fact' now:
Zoom, however, denies that it’s misleading users. The company told The Intercept, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” and that “content is not decrypted as it transfers across the Zoom cloud.”
Whether the paper is any different is sort of irrelevant if they're starting off from a place of bad faith. One time after another this company has 'accidents' like this, while removing CCP distinguished nonpersons from the platform. A sense of skepticism is certainly justified.
If implemented correctly, the server doesn’t get the key. Look up Diffie–Hellman key exchange for more information on how this is possible. This can be verified by auditing the client so you don’t need to trust Zoom.
> The Diffie–Hellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack.[1]
Whoever controls key distribution can control the encryption channel; without a way to verify public keys, all bets are always off. You're right that auditing the client is one (if not the only?) way to do this.
This is true, but they are going to help law enforcement with calls that have bad content in them, the only way this can happen is if they have the ability to decrypt the streams or enter calls silently and get the keys.
Edit: Sorry for coming across a little brash, I'm quite a strong advocate of real encryption and this kind dilution of terms makes my blood boil because terms are being diluted and people have trust in something that betrays them.
There was a time when outside traffic routed through china. I believe zoom said it was a mistake.
I'm not convinced that a setting alone should provide much confidence in terms of traffic routing considering that it can always be changed independent of what setting in the application you make.
For me, that's hard to believe. They weren't routing the call itself through China, they were just sending the encryption keys to a server in china. That seems pretty intentional. Even if they weren't routing the call through China from a user's perspective, their US server could still be sending the call data to China or recording the call for playback (from China) later. Their track record around security is so bad that I would stay as far away as possible.
Unfortunately for folks who are good actors in other non free countries countries... I find any sort of development or real world controls that are in a seriously non free country... automatically suspicious.
Even good individual developers who have the best of intentions in those places could be subject to pressure and the likelihood we'd ever hear about it is near zero in many of those places.
Granted that 'could' happen in more free countries, but I'll hedge my bets there as there's a great deal more likelihood I would hear about it.
A product developed almost entirely within China is beholden to the whims of the CCP. Especially a billion dollar company. There is literally no escaping this reality.