[lukeschlather]

All I can tell you is that Google Meet is thoroughly inferior to native Zoom, and the browser-based Zoom is also inferior. If you don't use both apps professionally, you don't have a feel for what it means to rely on such features working for effective communication, you don't have a basis for comparison. It's hard to quantify the cost of security, and it's equally hard to quantify the cost of bad UX.

Definitely during the pandemic - good UX meant I got to feel more present with friends and family and that was well worth any security cost.

[throwitaway1123]

I've used Zoom professionally in the browser literally within the past week, and it ran smoothly. We can trade anecdotes here, but it won't be very productive.

What I can tell you is that I felt at ease using Zoom in the browser knowing that I wasn't opening my computer up to a remote code execution vulnerability. Your UX concerns are a bit nebulous, but I'd be willing to bet that the risk assessment departments at most organizations could quantify the cost of a hacker gaining access to one of their employee's computers. I also used Zoom during the pandemic but I wasn't doing a ton of screen sharing (I was more interested in seeing my friends and family members faces rather than their screens).

[lukeschlather]

Another thing is that the native Windows app can support 50 simultaneous video streams, which makes it possible to see more people. I was in dance parties during the pandemic with enough people that it meant that I could see 50 realtime streams of people dancing. It wasn't the same as being in a room with 50 other people dancing in sync, but it was better than only seeing 25 people at once. My problems aren't so much nebulous as too numerous to explain, I could go on for a while.

Of course a lot of this is Zoom vs. Google Meet, I'm sure a lot of the things I like about Zoom work fine in the browser - but not as well as with the simultaneous video streams limitation.

You can cost out security, but a lot of the things that I love about Zoom's native app are truly priceless - it means I can see and hear more of people I care about. Another thing is supporting dual monitors with different screens, it makes it very easy to rearrange and see more than one person I want to see at a glance. You can do it with multiple browsers and so on, but it's more fiddly and you spend more time fussing with the screens, which means less time actually paying attention to the people.

[throwitaway1123]

We might simply have different value systems because I could never justify putting myself at risk of a data breach in order to badly simulate the experience of attending an actual social event and dancing with other human beings. That feels very dystopian to me.

We're getting really deep into the intricacies of Zoom and Google Meet here, and I feel like we're losing the larger plot. If you have a battle station set up for Zoom parties with multiple monitors with 50 simultaneous dancers that you need to keep an eye on, and you don't mind the security risks, then maybe you represent a specific edge case, but I think the vast majority of software users have different requirements that web browsers satisfy handily.

[lukeschlather]

You're at risk of a data breach the moment you connect your computer to the Internet. You need to do a complete threat model and explain how Zoom contributes to that risk, and weigh that against the benefits. If you have zero tolerance for a data breach you should delete the data so no one including you may access it. Zoom is reliably effective at transmitting data, you can use less reliable methods but Zoom deliberately often makes the choice that delivering data is preferable to not delivering data. I think this is a valid choice and in security we sometimes have to say "would I prefer to open myself up to attack, or would I prefer not to deliver this message at all?" Both are valid choices in different circumstances. Practically speaking I have conversations in public places all the time and I don't stress about the possibility that someone might be recording me with a parabolic microphone.

[throwitaway1123]

> You're at risk of a data breach the moment you connect your computer to the Internet [...] If you have zero tolerance for a data breach you should delete the data so no one including you may access it.

To reason by analogy, this is like me suggesting you wear a seatbelt while driving a car and you responding by saying: "well you're at risk the moment you step outside of your house, so if you really have no tolerance for injury you should simply not leave the house". You're saying instead of opening Zoom in the browser I should delete all personal data from my computer, and for what end? I'm doing this so that I can attend virtual dance parties efficiently? I don't understand how any rational cost benefit analysis could yield such a conclusion.

> "would I prefer to open myself up to attack, or would I prefer not to deliver this message at all?"

This is absolutely a false dichotomy. The choice isn't between sending data and not sending data, the choice is between sending data in the browser vs sending the same data within a desktop application.

> You need to do a complete threat model and explain how Zoom contributes to that risk,

The Zoom desktop clients have had RCE vulnerabilities where hackers were able to remotely execute arbitrary code on victims computers with zero user input required from the victims (they demonstrated this by remotely opening the calculator app). It's very obvious how Zoom contributes to that risk. "A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction [...] an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom [...] The browser version of the videoconferencing software is not impacted." [1]

> Practically speaking I have conversations in public places all the time and I don't stress about the possibility that someone might be recording me with a parabolic microphone.

Do you yell out your bank account number and routing number in public because you think the user experience of finding a private place to talk is too burdensome? Because that's metaphorically what you're arguing for.

[1] https://it.slashdot.org/story/21/04/09/209227/critical-zoom-...

[lukeschlather]

> The Zoom desktop clients have had RCE vulnerabilities where hackers were able to remotely execute arbitrary code on victims computers with zero user input required from the victims

There have been RCE vulnerabilities in browsers too. Do you have an example of a Zoom RCE vulnerability that wasn't fixed? The example you gave was one where Zoom was proactively publicizing their own work to recruit researchers to find vulnerabilities so they could be fixed before they caused actual issues - and Zoom fixed the issue, you're using Zoom's good behavior in security testing their app against them.

> Do you yell out your bank account number and routing number in public because you think the user experience of finding a private place to talk is too burdensome? Because that's metaphorically what you're arguing for.

No it's not, I wouldn't transmit my bank account number and routing number or similarly sensitive information over Zoom.

> This is absolutely a false dichotomy. The choice isn't between sending data and not sending data, the choice is between sending data in the browser vs sending the same data within a desktop application.

The choice is in fact between sending data and not sending data. I've given you one example (the limited number of simultaneous streams) where you're opting not to send data. You're just pretending that use case is invalid. There are other examples I could give, but they require more explanation and you seem determined to dismiss any examples I give.