Phase one of Zoom’s four-step encryption plan is about to go live. Here are the must-knows about its security trial balloon.

Whether you’re using a free or paid Zoom account, you’ll be able to get your first look at the videoconferencing giant’s new end-to-end encryption (E2EE) feature next week as the company rolls out the first phase of a four-step security plan. The E2EE feature will be available as a technical preview both for those who join and those who host sessions with up to 200 participants, Zoom said Wednesday. The company will be actively seeking feedback from users for the first 30 days after the feature’s launch. Zoom also unveiled a new events platform, called OnZoom, and apps within Zoom called Zapps.

In May, Zoom CEO Eric Yuan said the company would offer end-to-end encryption to all users, despite previously saying the feature would be a premium one, for paying customers only. As a massive surge in users at the onset of the coronavirus pandemic drove more people working from home toward the videoconferencing software, the increased public focus revealed several Zoom security problems, and the fact that an earlier Zoom claim of end-to-end encryption was baseless.

“End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world. This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people,” Yuan said in a Wednesday blog post.

Under the hood

Though Zoom meetings already have some level of encryption, that process usually happens when Zoom’s own servers generate encryption keys and distribute them to meeting participants via the Zoom app. All your information sent through Zoom’s app during those meetings — all the audio, video and in-app functions — is then protected by default with standard AES-256 encryption. That information isn’t decrypted until it reaches your recipient.

Sounds good, right? It is, except that the encryption keys to your information are normally created and managed by Zoom’s servers, which is a security liability. To improve on that flaw, Zoom’s new E2EE feature takes a hands-off approach to your encryption keys by using public cryptography. So when you host a meeting and enable Zoom’s E2EE feature, your meeting’s encryption keys are generated by your own machine — not Zoom’s servers — and sent to your meeting’s participants. Since Zoom’s servers don’t have the keys to unlock the secrets of your message, theoretically they have no way to decipher the content of your meetings.

The limits of E2EE

Zoom said there are limits to the new E2EE features’ compatibility with the rest of Zoom’s functions.

“Enabling this version of Zoom’s E2EE in your meetings disables certain features, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions,” Yuan said.

He added, however, that Zoom plans to roll out further improvements in 2021.

How to enable encryption in Zoom

If you want to host a meeting with E2EE enabled, you’ve got options. Once the feature is live, account administrators will be able to make E2EE mandatory for anyone joining a meeting, and they’ll be able to change that setting at the user, group or even entire account level. Free-level Zoom users enabling E2EE will be prompted the first time to go through a form of two-factor authentication, which may include verifying a phone number via text message.

If you’re invited to a meeting as a participant, you’ll be able to tell whether you’re in an E2EE meeting by checking the upper left corner of your screen for a green shield logo — similar to Zoom’s current encryption symbol — that will now have a padlock icon in its center instead of a checkmark. The meeting host or leader will also have a hand in verifying that your meeting is secure. You’ll be able to see your host’s security code, and the host can read the code on her or his screen aloud so you can make sure it matches the code you’re seeing.

Source: CNET

Related posts: