Zoom Announces End-to-End Encryption Will be Rolled Out Next Week

Earlier this year following a massive increase in the number of users, it was discovered that the Zoom teleconferencing platform did not offer end-to-end encryption (E2EE) as the company advertised on its website. Instead, the company used transport layer security (TLS) encryption, which only encrypts the connection between the user and the service provider. That means the connection is secure and encrypted, but Zoom, should the company so wish, could access user data.

When this was discovered and reported in The Intercept, Zoom admitted the lack of E2EE and said it was not possible to implement E2EE on its platform. Zoom later confirmed that E2EE would be implemented, but only for paying customers. After considerable criticism from civil rights groups, Zoom backtracked on that decision and decided E2EE would be available for all.

That day has now come, or nearly. Zoom has confirmed that E2EE will finally be used on the platform from next week. The rollout of E2EE on Zoom will take place over a 4-week period in what Zoom calls a “technical preview.” During this period, Zoom will be accepting feedback from users for 30 days.

The encryption previously used by Zoom was AES-256-bit GCM encryption and that will continue; however, an additional layer of security will be added should conference hosts determine it is required. E2EE will not be provided by default. Meeting hosts will need to enable that function on a meeting by meeting basis. Users will know if the meeting is protected by E2EE as a green padlock will be displayed in the top left-hand corner of the window.

For standard Zoom meetings, encryption keys are generated by Zoom’s cloud, which are then distributed to the meeting participants through their Zoom apps. With the new E2EE system, the meeting host, should the host decide to implement E2EE, will generate the encryption keys using public key cryptography and distribute the keys to the meeting participants. The keys for the encryption are not stored by Zoom, so Zoom will not have access to users’ sessions. Zoom servers simply act as relays.

During the first phase release, E2EE will be available for meetings with up to 200 users, but certain features will not be available. These include join before host, cloud recording, Breakout Rooms, streaming, live transcription, polling, 1:1 private chat, and meeting reactions.

The next E2EE rollout is expected to take place in early 2021, which will include additional features such as single sign-on.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news