Zoom is making yet another rapid action move in its ambitious plan to further fortify its video conferencing platform’s security. The company has today announced acquisition of Keybase, a company that has been in the business of encryption for well over half a decade. Purchase price and other financials remain unrevealed.
Announcing the acquisition via a blog post, Zoom CEO Eric Yuan saidm “This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses.”
Keybase will bring along some critical data encryption tech, that will help Zoom further secure video calls being done over its platform. Since its launch in 2014, Keybase’s team of exceptional engineers has built a secure messaging and file-sharing service leveraging their deep encryption and security expertise.
So the way Zoom currently works is this. All content that traverses through Zoom’s platforms across devices, is encrypted at sender’s end. It is not decrypted until it reaches the recipients’ devices. The company recently announced an upgrade to AES-GCM with 256-bit keys. But the problem with such a system, is the fact that these keys are required to be generated by Zoom’s servers, which leaves a wither of a security loophole.
Zoom clients, such as support for attendees to call into a phone bridge or use in-room meeting systems offered by other companies, will always require Zoom to keep some encryption keys in the cloud.
With the Keybase tech in place, Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.
What this essentially means, is that these newly offered end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems. Zoom Rooms and Zoom Phone participants will be able to attend if explicitly allowed by the host.
While Zoom has addressed security concerns time and again, mostly through a ’90-day’ plan, the company has failed to pacify users, including large corporations and even governments. There have been advisories issued by governments or government departments across the globe, against the usage of Zoom’s multiple platforms.
The company is aiming to publish a detailed draft cryptographic design on Friday, May 22. It will then host discussion sections with civil society, cryptographic experts, and customers to share more details and solicit feedback. Based on the feedback, these features will be made available to a larger section of users.