So remember when I was saying Zoom is a privacy and security train wreck? Apparently, that was an understatement:
“Zoom has ‘rolled their own’ encryption scheme [with] significant weaknesses … [and transmits] meeting encryption keys through China.”
@aral @ScottMortimer worst part - 97% of people won’t know, and won’t care. Zoom has done the most damage by simply advertising. I still see dozens of people daily saying others should use zoom. I warn them, send article links, and their response... “well, it’s free...so I’ll chance it.” Where have I heard something similar?
@aral @ScottMortimer Hang on - the article says they use AES-128 - that's not rolling your own! I bet the reason for using ECB is for any user to be able to recover after congestion - (counter could do the same ?). Distributing the keys is a mess though - I don't think there's a standard to use; Matrix has a complex scheme that only just about works but shows the challenge in a multiple-user e2e scheme - it's hard to exchange keys with an arbitrary no of users who can join/leave/dropout.
This is my personal Mastodon.