A new blog post today reveals that Zoom bought Keybase, a 25-person startup specializing in encrypted message and file-sharing. It is the first acquisition in Zoom’s history …
Zoom ran into trouble when it was revealed that its marketing materials falsely claimed Zoom video calls use end-to-end encryption. The reality is that calls are encrypted, but the keys are held by Zoom, so remain vulnerable to in-house spying or hacking.
This, and the company’s unexpected popularity boost as a result of coronavirus lockdowns, led to security researchers taking a much closer look at the app and platform, with a number of vulnerabilities discovered. These included re-using the same meeting IDs, no passwords required by default, and a sketchy method of enabling webcam access on Macs.
A number of companies and governments either banned or discouraged the use of Zoom as a result.
The company has responded well, however, offering new security and privacy features in a major new version of the app, and making more secure meetings the default. Previously, Zoom had prioritized ease of use over privacy, so security features were disabled by default.
Zoom said in today’s blog post that the aim of the acquisition is to move to end-to-end encryption.
Today, audio and video content flowing between Zoom clients (e.g., Zoom Rooms, laptop computers, and smartphones running the Zoom app) is encrypted at each sending client device. It is not decrypted until it reaches the recipients’ devices. With the recent Zoom 5.0 release, Zoom clients now support encrypting content using industry-standard AES-GCM with 256-bit keys.
However, the encryption keys for each meeting are generated by Zoom’s servers […] For hosts who seek to prioritize privacy over compatibility, we will create a new solution.
Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees.
The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.
Choosing to use end-to-end encryption will, however, mean that some functionality will be lost.
These end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems.
None of these things will be possible when Zoom has no ability to decrypt the content.
Zoom says it will publish a draft cryptographic design on May 22, making it available for comment.
Social distancing requirements meant that Zoom bought Keybase, appropriately enough, via video call negotiations. Terms of the acquisition have not been revealed.