Zoom has become the go-to video conferencing solution for many during the COVID-19 lockdown around the globe. But, as the installs increased, Zoom was discovered to have a slew of security loopholes. The company has already put into action a 90-day plan to address the security and privacy concerns of its users. The latest move under this plan is the acquisition of security startup Keybase, which excels in encryption techniques.
Keybase is the company’s first-ever acquisition in its long nine-year journey. Zoom is welcoming a 25-person start-up to its team as part of the deal, whose terms are kept under wraps at the moment. Keybase will now act as a subsidiary to Zoom and its CEO and co-founder Max Krohn will lead the security engineering team. Krohn will report directly to Zoom CEO Eric Yuan.
Keybase, for those unaware, is well-known for building encrypted communication and file-sharing tools. Its expertise in this area will enable Zoom to iron out the weaknesses of its video conferencing tool. Zoom has already implemented AES-GCM encryption with 256-bit keys to bolster security. But, these keys, as well as video recordings, are still stored on the company’s servers. All the video calls are encrypted at each sending client device, as per the blog post.
Zoom wants to take this a step further and employ Keybase’s knowledge to “offer an end-to-end encrypted meeting mode to all paid accounts.” The company has explained how it will work, with an ephemeral per-meeting symmetric key being generated by the host. The host’s client will be in control of the distribution of keys and approval of other client’s that can join a meeting.
Apart from the E2E encryption, paid clients won’t have support for features like phone bridges, cloud recording, or non-Zoom conference room systems. This, Zoom says, will “provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms.” The company further adds that it’s “investigating mechanisms that would allow enterprise users to provide additional levels of authentication.”
As per the blog post, Zoom looks forward to publishing a detailed draft cryptographic design for its end-to-end encrypted solution on Friday, May 22. It will collect feedback and implement the feature in the weeks to come. This should put the mind of privacy enthusiasts at ease.
