The video chat darling of the pandemic has finally added the security feature it claimed it had been using all along: End-to-end encryption.
“We’re very proud to bring Zoom’s new end-to-end encryption to Zoom users globally today,” Zoom CISO Jason Lee said in a prepared statement. “This has been a highly requested feature from our customers, and we’re excited to make this a reality. Kudos to our encryption team who joined us from Keybase in May and developed this impressive security feature within just six months.”
Yes, kudos. Zoom’s end-to-end encryption (E2EE) is only available in a technology preview at this time, but it is at least available to users globally for free in meetings up to 200 users (and to paid users in whatever configurations).
According to Zoom, this new feature uses 256-bit AES-GCM encryption identical to that which Zoom meetings already use by default. But when E2EE is enabled, only participants—and not Zoom or its meeting servers—have access to the encryption keys that are used to encrypt the meeting. Now, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants, Zoom says, and Zoom’s servers become “oblivious relays” and never see the encryption keys required to decrypt the meeting contents.
What Zoom doesn’t say, according to Fortune, is that enabling E2EE disables several Zoom features, including recording meetings to the cloud, live emoji reactions, the ability for participants to join a call before the host, streaming meetings to outside viewers, live transcription, polls, one-on-one private chats, and breakout rooms.
Zoom says it will test the feature publicly for 30 days before releasing it generally, and it is soliciting feedback from users so that it can improve as needed.
Tagged with Zoom