Zoom has today announced that they have acquired Keybase in their quest to strengthen the security of their video conferencing platform.
Thanks to the COVID-19 pandemic, the use of Zoom has spiked all over the world to over 300 million participants daily. Many articles have been written regarding Zoom’s privacy problems and this move is seen as a solution to that.
“We are excited to integrate Keybase team into the Zoom family to help us build end to end encryption that can reach current Zoom scalability.,” the company said in the announcement.
Keybase was a key directory that mapped social media identities to encryption keys as well as offering and end to end encrypted chat called Keybase Chat.
Zoom says their current encryption involves encryption at each sending client device. This is not decrypted until it reaches the recipient’s devices. The encryption keys are generated by Zoom’s servers. However, some features require Zoom to keep encryption keys in the cloud, like adding a phone bridge or use in-room meeting systems.
Zooms says that in the future, they will offer an end to end encrypted meeting mode to all paid accounts. This is how Zoom explains the technology:
Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.
Unlike current Zoom’s encryption, this will not support phone bridges, cloud recording or non Zoom conference room systems. Zoom Rooms and Zoom phone participants will be able to attend if explicitly allowed by the host.
Zoom says that this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms but with the video quality and scale that Zoom has.
The company also says that they will continue to work with users to enhance reporting mechanisms available to host to report disruptive attendees and will use automated tools to look for evidence of abusive users. They also promise not to build a way to decrypt live meetings or to insert their employees to meetings without being reflected in the participant list.