Zoom Rolling Out End-to-End Encryption

October 18, 2020

On October 14th Max Krohn, the Head of Security Engineering, announced on the Zoom Blog that starting this week they would be rolling out End-to-End Encryption (E2EE) for free and paid users as part of a technical preview and would solicit feedback from users for the first 30 days. According to the post, “With Zoom’s End-to-End Encryption, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents.”

In order to start using End-to-End Encryption, customers will have to enable End-to-End Encryption meetings at the account level and opt-in to End-to-End Encryption on a per-meeting basis.  In Phase 1, all meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms. Participants can then look for a green shield logo in the upper left corner of their meeting screen with a padlock in the middle to indicate their meeting is using End-to-End Encryption. It looks similar to the GCM encryption symbol, but the check mark is replaced with a lock.

So, for those Engineers who like to know how it all works, Max provided a brief explanation: “Zoom’s End-to-End Encryption offering uses public key cryptography. In short, the keys for each Zoom meeting are generated by each participant’s machines, not by Zoom’s servers. Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key. This key management strategy is similar to that used by most end-to-end encrypted messaging platforms today.”

Ian’s Take

Well done Zoom.  This was an obvious necessity to compete and remain relevant in todays Virtual Meeting ecosystem.  If Zoom had kept end-to-end encryption a premium feature, Enterprise’s wouldn’t adopt Zoom, plain and simple. This was a revenue decision at the end of the day. 

My guess is that Zoom’s next target will be Slack.  Zoom can’t compete with Microsoft Teams, but they can compete with Google (Hangout), Apple (FaceTime), and Slack (Instant Messenger). The market has decided that Microsoft’s Teams is the winner and it makes sense, as Microsoft practically gave Teams away to most Office 365 tiers.

Zoom is already following the Slack playbook and getting developers to create apps for its ecosystem.  I think Zoom will be well poised to continue to gain market as it currently has the overtaken GoToWebinar according to research firm Datanyze.

ttps://www.datanyze.com/market-share/web-conferencing

If Zoom continues to keep its encryption strong across the board, I don’t see any reason it can’t grow to 40 % market share by the end of 2021.

DJ’s Take

Personally, I like this new, but I think we should tie up some loose ends. Last time we talked about Zoom’s encryption efforts on this show they were quickly back-tracking on statements made by their CEO, Eric Yuan, when he said, ” Free users — for sure we don’t want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose.” That was mid-June in episode 9.

At the time they also said, ” Non-paying users must provide a piece of identifying information to have the feature enabled, participants cannot join before the host, participants must run the official Zoom client, plus browsers, legacy Zoom enabled devices, and PSTN dial-ins are disabled in one of these meetings.” Well, that changed, as well. Now all a free user has to do to authenticate to one of these meetings is, “[…]participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message.” They also went on to say, “We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our work with human rights and children’s safety organizations and our users’ ability to lock down a meeting, report abuse, and a myriad of other features made available as part of our security icon — we can continue to enhance the safety of our users.”

Comments are closed.