So remember when I was saying Zoom is a privacy and security train wreck? Apparently, that was an understatement:
“Zoom has ‘rolled their own’ encryption scheme [with] significant weaknesses … [and transmits] meeting encryption keys through China.”
Via @ScottMortimer
It's been tough watching infosec Twitter "Luminaries" start to defend them under availability claims...
they just like the backdrops...
dumb, dumb, dumb.
@thegibson @ScottMortimer “infosec” *shudder*
@aral @ScottMortimer I'm petitioning for all "roll your own" encryption algorithms to be be "DKA-compliant"
DKA = Dunning Krueger Algorithm.
@aral @ScottMortimer Pretty sure Telegram is also DKA Compliant.
@craigmaloney
And this is why I have avoided Telegram like the plague. Friends don't let friends use Telegram. *Shudder*
@aral
@aral @ScottMortimer worst part - 97% of people won’t know, and won’t care. Zoom has done the most damage by simply advertising. I still see dozens of people daily saying others should use zoom. I warn them, send article links, and their response... “well, it’s free...so I’ll chance it.” Where have I heard something similar?
@aral @ScottMortimer Hang on - the article says they use AES-128 - that's not rolling your own! I bet the reason for using ECB is for any user to be able to recover after congestion - (counter could do the same ?). Distributing the keys is a mess though - I don't think there's a standard to use; Matrix has a complex scheme that only just about works but shows the challenge in a multiple-user e2e scheme - it's hard to exchange keys with an arbitrary no of users who can join/leave/dropout.
@aral @ScottMortimer it's gotten to the point where i saw this post and just actually laughed
@aral It doesn't stop 200 million people from using it.