Starting next week, Zoom users – both those who are on one of the paid plans and those who use it for free – will be able to try out the solution’s new end-to-end encryption (E2EE) option.
In this first rollout phase, all meeting participants:
- Must join from the Zoom desktop client, mobile app, or Zoom Rooms
- Must enable the E2EE option at the account level and then for each meeting they want to use E2EE for
How does Zoom E2EE work?
“Zoom’s E2EE uses the same powerful GCM encryption you get now in a Zoom meeting. The only difference is where those encryption keys live,” the company explained.
“In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents.”
The option will be available as a technical preview and will work for meetings including up to 200 participants. In order to join such a meeting, they must have the E2EE setting enabled.
For the moment, though, enabling E2EE for a meeting means giving up on certain features: “join before host”, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.
“Participants will also see the meeting leader’s security code that they can use to verify the secure connection. The host can read this code out loud, and all participants can check that their clients display the same code,” the company added.
E2EE for everybody
In June 2020, Zoom CEO Eric Yuan announced the company’s intention to offer E2EE only to paying customers, but after a public outcry they decided to extend its benefits to customers with free accounts as well.
“Free/Basic users seeking access to E2EE will participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message. Many leading companies perform similar steps to reduce the mass creation of abusive accounts,” the company reiterated again with this latest announcement.
Video conferencing platform Zoom is finally offering all users the option to enable two-factor authentication (2FA) to secure their accounts against credential stuffing attacks and attacks leveraging phished login credentials.
How to enable Zoom 2FA on a Pro, Business, Education, or Enterprise account
Zoom gives the choice between two modes of delivery of the second authentication factor (a 6-digit code):
- Via a 2FA app that supports Time-based One-Time Password (TOTP) protocol – e.g., Google Authentication, Microsoft Authenticator, or FreeOTP
- Via SMS (text message)
Account owners/admins can enable the option at the account-level by:
1. Singing in to the Zoom Dashboard.
2. In the navigation menu, clicking Advanced, then Security.
3. Enabling the Sign in with Two-Factor Authentication option.
4. Specifying users to enable 2FA for:
- All users in the account
- Users with specific roles
- Users belonging to specific groups
5. Clicking Save.
Once that’s done, they can inform the users about the option and provide instructions on how to take advantage of it.
As it’s usual with these things, once users set up the option, they are also provided with backup codes to use in case they misplace their phone, uninstall their 2FA app or remove Zoom from the 2FA app by mistake. If they lose those, there’s always the option to ask their admin to reset their 2FA setup.
How to enable Zoom 2FA on a (free) Basic account
Users who have opted for a Basic account can set up 2FA by:
- Signing in to their account via the Zoom web portal
- In the navigation menu, clicking Profile, then enabling Two-Factor Authentication by clicking Turn on
- Entering their password into the pop-up box
- Opting for one of the options and setting it up:
Once they’ve set up 2FA, they can make changes at the same “place” (the Profile tab):
Zoom and security
Since its popularity and user base skyrocketed in the wake of the Covid-19 pandemic, Zoom has been working on fixing many security and privacy issues.
More recently, Zoom Video Communications announced that it is working on providing end-to-end encryption (E2EE) to both paying Zoom customers and those with free (Basic) accounts.
The world is one step closer to having a totally secure internet and an answer to the growing threat of cyber-attacks, thanks to a team of international scientists who have created a multi-user quantum communication network which could transform how we communicate online.
The invention led by the University of Bristol has the potential to serve millions of users, is understood to be the largest-ever quantum network of its kind, and could be used to secure people’s online communication, particularly in these internet-led times accelerated by the COVID-19 pandemic.
By deploying a new technique, harnessing the simple laws of physics, it can make messages completely safe from interception while also overcoming major challenges which have previously limited advances in this little used but much-hyped technology.
Lead author Dr Siddarth Joshi, who headed the project at the university’s Quantum Engineering Technology (QET) Labs, said: “This represents a massive breakthrough and makes the quantum internet a much more realistic proposition. Until now, building a quantum network has entailed huge cost, time, and resource, as well as often compromising on its security which defeats the whole purpose.”
“Our solution is scalable, relatively cheap and, most important of all, impregnable. That means it’s an exciting game changer and paves the way for much more rapid development and widespread rollout of this technology.”
Protecting the future internet
The current internet relies on complex codes to protect information, but hackers are increasingly adept at outsmarting such systems leading to cyber-attacks across the world which cause major privacy breaches and fraud running into trillions of pounds annually. With such costs projected to rise dramatically, the case for finding an alternative is even more compelling and quantum has for decades been hailed as the revolutionary replacement to standard encryption techniques.
So far physicists have developed a form of secure encryption, known as quantum key distribution, in which particles of light, called photons, are transmitted. The process allows two parties to share, without risk of interception, a secret key used to encrypt and decrypt information. But to date this technique has only been effective between two users.
“Until now efforts to expand the network have involved vast infrastructure and a system which requires the creation of another transmitter and receiver for every additional user. Sharing messages in this way, known as trusted nodes, is just not good enough because it uses so much extra hardware which could leak and would no longer be totally secure,” Dr Joshi said.
How the multi-user quantum communication network works
The team’s quantum technique applies a seemingly magical principle, called entanglement, which Albert Einstein described as “spooky action at a distance.” It exploits the power of two different particles placed in separate locations, potentially thousands of miles apart, to simultaneously mimic each other. This process presents far greater opportunities for quantum computers, sensors, and information processing.
“Instead of having to replicate the whole communication system, this latest methodology, called multiplexing, splits the light particles, emitted by a single system, so they can be received by multiple users efficiently,” Dr Joshi said.
The team created a network for eight users using just eight receiver boxes, whereas the former method would need the number of users multiplied many times – in this case, amounting to 56 boxes. As the user numbers grow, the logistics become increasingly unviable – for instance 100 users would take 9,900 receiver boxes.
To demonstrate its functionality across distance, the receiver boxes were connected to optical fibres via different locations across Bristol and the ability to transmit messages via quantum communication was tested using the city’s existing optical fibre network.
“Besides being completely secure, the beauty of this new technique is its streamline agility, which requires minimal hardware because it integrates with existing technology,” Dr Joshi said.
The team’s unique system also features traffic management, delivering better network control which allows, for instance, certain users to be prioritised with a faster connection.
Saving time and money
Whereas previous quantum systems have taken years to build, at a cost of millions or even billions of pounds, this network was created within months for less than £300,000. The financial advantages grow as the network expands, so while 100 users on previous quantum systems might cost in the region of £5 billion, Dr Joshi believes multiplexing technology could slash that to around £4.5 million, less than 1 per cent.
In recent years quantum cryptography has been successfully used to protect transactions between banking centres in China and secure votes at a Swiss election. Yet its wider application has been held back by the sheer scale of resources and costs involved.
“With these economies of scale, the prospect of a quantum internet for universal usage is much less far-fetched. We have proved the concept and by further refining our multiplexing methods to optimise and share resources in the network, we could be looking at serving not just hundreds or thousands, but potentially millions of users in the not too distant future,” Dr Joshi said.
“The ramifications of the COVID-19 pandemic have not only shown importance and potential of the internet, and our growing dependence on it, but also how its absolute security is paramount. Multiplexing entanglement could hold the vital key to making this security a much-needed reality.”
Collaborating institutions with the University of Bristol are the University of Leeds, Croatia’s Ruder Boskovic Institute (RBI) in Zagreb, Austria’s Institute for Quantum Optics and Quantum Information (IQOQI), in Vienna, and China’s National University of Defence Technology (NUDT) in Changsha.
Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well.
The decision was reached after much public outcry by privacy-minded users and privacy advocates. As famed cryptographer and privacy specialist Bruce Schneier noted, “we are learning – in so many areas – the power of continued public pressure to change corporate behavior.”
Zoom does an about-face on E2EE
Zoom CEO Eric Yuan announced their decision to bring E2EE to paid users only in early June. He explained that they want to be able to help law enforcement in investigations and that people who use Zoom to disrupt online meetings and to engage in criminal acts and facilitate horrible abuse generally use free (quasi-anonymous) accounts.
In the meantime, though, they’ve found a solution that will allow them to offer E2EE as an advanced add-on feature for all users while maintaining the ability to prevent and fight abuse.
“To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Yuan explained this Wednesday.
“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
E2EE for everyone
The decision was welcomed by the Electronic Frontier Foundation, though they pointed out that phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users.
“In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties,” they noted.
An early beta of the E2EE feature is scheduled to be introduced by Zoom in July 2020. The feature will be optional because it limits some meeting functionality, and account administrators will be able to switch it on or off at the account and group level.
“Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium,” they added.
The EFF has called on other companies that provide communication tools to provide E2EE encryption to both users who pay for their services and those who don’t.
As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option.
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday.
Zoom encryption and end-to-end encryption
- All users – whether using free or paid accounts – now have the option of using AES 256-bit GCM encryption for their Zoom meetings and webinars. To take advantage of it, they have to upgrade their Zoom client (mobile or desktop app) to v5.0 or any of the later ones
- The company has released a draft design of their end-to-end encryption capability on GitHub and is hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to solicit feedback for the final design.
- The company plans to add add multi-factor authentication options for free and Pro users in the future (near or far, they didn’t specify).
“Our top priority is to focus on building effective end-to-end encryption for our meeting product first, where it will be most useful. We are considering end-to-end encryption options for Zoom Chat, Zoom Phone, and Zoom Video Webinars down the road,” the company stated.
E2EE just for those who pay for an account
Encrypted communications can be decrypted by the service provider if law enforcement demands it because they have the encryption key. With E2EE, the encryption keys are created and remain on the devices of the people involved in the communication.
Yuan’s explanation of why end-to-end encryption would not be available to free accounts has been fleshed out by Alex Stamos, former Facebook CISO and current adjunct professor at Stanford University’s Center for International Security and Cooperation, who’s now also a security and privacy adviser to Zoom.
Some facts on Zoom’s current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
The E2E design is available here:https://t.co/beLdeAwMSM
— Alex Stamos (@alexstamos) June 3, 2020
In short, Zoom’s decision is motivated by the need to find a way to deal, in conjunction with law enforcement, with people who disrupt meetings (often repeat offenders).
“The other safety issue is related to hosts creating meetings that are meant to facilitate really horrible abuse. These hosts mostly come in from VPNs, using throwaway email addresses, create self-service orgs and host a handful of meetings before creating a new identity,” Stamos explained.
He concedes that not offering E2EE to free tier users will not eliminate all abuse, but that “since the vast majority of harm comes from self-service users with fake identities this will create friction and reduce harm.”
Privacy and digital rights advocates have argued that this decision will also ultimately hurt vulnerable groups such as activists, journalists, nonprofits, domestic violence victims – groups that desperately need E2EE but might not have the resources to splurge for a paid plan.
Zoom’s decision comes at a time when a new piece of legislation (the EARN IT Act) is being pushed through the US Congress that is expected to ultimately force/incentivize tech and internet companies to abandon plans to offer end-to-end encryption to users.
Signal has fixed a vulnerability affecting its popular eponymous secure communications app that allowed bad actors to discover and track a user’s location.
The non profit organization has also announced on Tuesday a new mechanism – Signal PINs – that will, eventually, allow users not to use their phone number as their user ID.
About the vulnerability
The vulnerability, discovered by Tenable researcher David Wells, stems from the fact that the WebRTC fork used by Signal for voice and video communication must discover a valid connection path for the local (the calling party) and remote peer (the called party) to communicate.
While doing that, it makes a DNS request and reveals the DNS server the phone automatically connects to.
While the DNS server information cannot tell the caller where exactly the callee is located as it offers just coarse location data, according to Wells, “in instances such as Google Public DNS (126.96.36.199/188.8.131.52) and others, this attack can narrow the location down to the Signal user’s city due to usage of EDNS Client Subnet.”
Most importantly, the information can be gleaned even if the called party does not answer the call, meaning that the called party can’t prevent a threat actor from placing the call, hanging up before they answer, and collect the DNS server info.
Doing so many times during the day and for weeks would allow the threat actor to build a profile of frequent DNS servers the app uses as the called party moves from home, to work, to a coffee shop, and so on.
While this may not be a problem for average users, one can see how certain users like journalists, activists, dissidents, or even victims of stalkers could be affected by malicious actors being able to know, at any time, their general location.
Luckily, Signal has already pushed out updated versions of Signal for Android (v4.59.11) and iOS (3.8.4) that fix the problem, so users can update their apps immediately.
If updating is impossible, Wells advises using a mobile VPN app that tunnels DNS traffic.
About Signal PINs
By setting up and using a Signal PIN, users will be able to save (backup) important data (e.g., profile, account settings, contacts, block list) that they might lose if their phones get lost, stolen or destroyed. This will also allow users to easily migrate their Signal data when they switch phones.
The data will be encrypted and saved on Signal’s servers, but won’t be accessible to Signal because they don’t know the users’ PIN.
It’s also important to point out that the saved data does not include Signal conversations.
Signal PINs can also serve as an optional “registration lock” – an additional protection against Signal account hijacking.
Finally, as this mechanism “will also help facilitate new features like addressing that isn’t based exclusively on phone numbers, since the system address book will no longer be a viable way to maintain your network of contacts.”
Users can change their PIN and switch on the Registration Lock through the app’s privacy settings. More information about Signal PINs can be found here.