[throwitaway1123]

> There have been RCE vulnerabilities in browsers too.

We're not comparing the security of web browsers as a whole to the security of the Zoom desktop client, we're comparing the security of the Zoom web app to the security of the Zoom desktop app. Can you find a single example of an exploit that allowed a hacker to execute arbitrary code on a user's computer after visiting zoom.com (even one that was eventually fixed)?

And also, almost all computer users are running web browsers (they come preinstalled on most consumer operating systems). So by downloading Zoom you're adding an additional threat vector on top of whatever threat your favorite browser already represents.

> The example you gave was one where Zoom was proactively publicizing their own work to recruit researchers to find vulnerabilities so they could be fixed before they caused actual issues - and Zoom fixed the issue, you're using Zoom's good behavior in security testing their app against them.

Every reputable organization has a bug bounty program (including browser vendors). You don't get a participation trophy for having a bug bounty program. You're missing the entire point which is that Zoom offered $200,000 to security researchers to find a vulnerability in their products and both of their desktop clients produced critical vulnerabilities yet the browser version did not. Which I would infer means that the browser version is more secure. Once again, do you have any examples of Zoom exploits in the browser?

Zoom can't keep producing vulnerabilities and getting a pass because they eventually fix them. This exploit's existence was publicized before Zoom fixed it. What if it was sold on the dark web and exploited in the interim?

> No it's not, I wouldn't transmit my bank account number and routing number or similarly sensitive information over Zoom.

People are absolutely transmitting critical information via Zoom. Courts literally use Zoom to remotely administer proceedings. I've heard of companies that ask employees to hold up sensitive documents in front of the camera to verify their identity. Hiding your head in the sand and saying "just don't send sensitive info via Zoom" is disingenuous at best. And even if you did buy in to the "just don't send sensitive data bro" argument it doesn't matter because an RCE exploit could potentially expose information that you never transmitted via Zoom that just happens to be sitting on your filesystem.

> The choice is in fact between sending data and not sending data. I've given you one example (the limited number of simultaneous streams) where you're opting not to send data.

The overwhelming majority of your examples have been cases where you've begrudgingly admitted that there's a way to accomplish your goal in the browser, albeit less efficiently. You started this conversation by admitting that you can share your screen in the browser, but doing so via the desktop app saved you a few minutes. I haven't found any published documentation from Zoom in regards to the streaming limit and I'm not willing to call up 49 other people to test this for an HN debate, but like I said, the vast majority of users can fulfill their needs in the browser. The average Zoom user is not hosting digital raves. I couldn't even imagine wanting to have 50 videos playing on my screen vying for attention. And again, there's no technical reason for why you couldn't implement 50 streaming videos in the browser. Maybe Zoom should spend that $200,000 improving their browser product.

[lukeschlather]

Efficiency is very important. The whole point of using a video app is to communicate things you can't communicate as quickly without video. It would be much safer just to use text, even voice would be significantly safer.

And again, this is about messages simply being undeliverable without the native app. If the web app takes an extra 5 seconds to join the meeting (I think it can actually be worse than this in a lot of cases - minutes lost) and I've just reached the meeting at 2pm and the meeting starts promptly at 2pm, and the native app causes me to miss 5 minutes of the intro... what is the cost there? I think in a lot of cases it can erase the benefits of video.

Courts are famously overloaded. If a court can get through 10 cases over a 4 hour session, each taking 24 minutes, and if each case loses 5 minutes of time due to using the browser app, then that's two whole cases worth of time they've lost. And it's not just about being able to handle a larger caseload: in a lot of cases inefficient communication results in incorrect communication and incorrect decisions.

Broadly though, you're taking it for granted that it's easier to make a browser app efficient than it is to make a native app secure. I'd actually wager there's a ceiling to how efficient you can make a browser app, and you can make the native app at least as secure as the browser app while also making it more efficient. Zoom has the money, they don't need to cheap out and do the browser app, and they shouldn't because efficient communication is a matter of life and death and their whole reason for being. Yes, it should be secure, but you can't just dismiss efficiency, being inefficient can cause security problems and it is often a matter of life and death.

> And again, there's no technical reason for why you couldn't implement 50 streaming videos in the browser.

Their docs specify that there are minimum system requirements for doing 50 rather than 25. This is an efficiency problem at the end of the day - the browser app is less efficient and can't handle as much info at a time with the same hardware.

[throwitaway1123]

> The whole point of using a video app is to communicate things you can't communicate as quickly without video.

The 'whole point' of a visual medium is not just to communicate ideas more quickly. Having eyeballs does not merely grant me a speed boost, it allows me to experience things that are simply ineffable otherwise. People didn't Zoom/Facetime their family members during the pandemic just because it was more efficient than texting them.

> And again, this is about messages simply being undeliverable without the native app. If the web app takes an extra 5 seconds to join the meeting

You're misusing the word undeliverable. Undeliverable means 'can not be delivered', not 'delivered 5 seconds later'.

> Zoom has the money, they don't need to cheap out and do the browser app

They're already doing the browser app. I'm saying they should do it well.

> Their docs specify that there are minimum system requirements for doing 50 rather than 25. This is an efficiency problem at the end of the day - the browser app is less efficient and can't handle as much info at a time with the same hardware.

You originally claimed that there was a hard limit to the number of simultaneous video streams that the browser version could handle, and that this was the difference between sending a message and not sending a message, and now you're walking that point back and saying that the browser version can't do it with the same hardware. So you're tacitly admitting that you were originally presenting a false dichotomy.

> being inefficient can cause security problems

There are multiple confirmed security flaws in the desktop Zoom apps (which you claim are more efficient), and your conclusion is "inefficient = insecure"? If anything, the opposite appears to be true according to your own claims.

> I'd actually wager there's a ceiling to how efficient you can make a browser app, and you can make the native app at least as secure as the browser app

Zoom themselves wagered $200,000, and the result was a critical RCE vulnerability in their desktop clients, and nothing in the browser version. But keep postulating with hypotheticals and ignore objective reality.

> if each case loses 5 minutes of time due to using the browser app [...] because efficient communication is a matter of life and death

First of all you've been throwing around this '5 minute' figure throughout this discussion, but there's simply nothing to substantiate it. Your entire argument hinges on this flimsy point derived from anecdotal evidence. I've never spent 5 minutes trying to set up Zoom in the browser. I predicted several days ago that this discussion would degenerate into anecdote trading, and here we are.

Second of all, if I were dealing with a serious court case then one of my primary concerns would be maintaining confidentiality. You completely ignored the entire point of my court example which was to illustrate the fact that security has serious implications, and you can't simply wave them off by saying "I wouldn't transmit personal information via Zoom". You're trying as hard as you can to avoid the most important aspect of using Zoom in court: security. Instead you wrote a thinkpiece about Zoom hypothetically taking 5 minutes to load. Imagine being a witness in a high profile case, on the brink of going into the witness protection program, with your literal life on the line, only to find out that your private information was leaked because someone didn't like the UX of the Zoom web app. And you have the gall to claim that bad UX is a matter of life and death. Are you being serious here?

You yourself said "I wouldn't transmit my bank account number and routing number or similarly sensitive information over Zoom", and yet you want the Zoom desktop app to be used in courts? That makes absolutely zero sense. Do you not believe courts deal with sensitive information?