Move Fast & Roll Your Own Crypto

Micah Lee, writing for The Intercept, in Zoom’s Encryption Is “Not Suited for Secrets” and Has Surprising Links To China, Researchers Discover:

“Some of the key management systems — 5 out of 73, in a Citizen Lab scan — seem to be located in China, with the rest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. ... The report points out that Zoom may be legally obligated to share encryption keys with Chinese authorities if the keys are generated on a key management server hosted in China.”

This just makes an adversary’s easy job even easier, though, thanks to the weak encryption scheme those keys facilitate:

“A security white paper from the company claims that Zoom meetings are protected using 256-bit AES keys, but the Citizen Lab researchers confirmed the keys in use are actually only 128-bit ... Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook (ECB) mode, ‘which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input,’ according to the Citizen Lab researchers. In fact, ECB is considered the worst of AES’s available modes.”

Bill Marczak and John Scott-Railton’s study, Move Fast & Roll Your Own Crypto, goes into more detail, and concludes with this key takeaway: “As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality”. Unfortunately, though, most of Zoom’s competitors don’t do much better.