Is Zoom secure?

I did a quick search of the NVD for Zoom and was surprised to find so many vulnerabilities.

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=zoom&search_type=all

Anyone have any specific experience with the Zoom client that they would like to share?

1 Like

ProtonMail had a blog post about zoom

3 Likes

Thanks for sharing this. Very useful.

1 Like

Depends if you just mean Security or both Security & Privacy. Security, they seem to be fine for the most part except for the macOS issue a little while back. In regards to Privacy, there are multiple issues but some of them are having an issue with features and others are concerns of legitimate complaints like using the Facebook SDK in the iOS app. However, every time an issue is found they do address it rather than pretend it’s not an issue.

So I wouldn’t say I’m completely comfortable with them, but overall they seem to want to be good about this kind of stuff.

3 Likes

A flatpak install of Zoom is possible. This would presumably provide some sandboxing goodness.

3 Likes

Just noticed, ditto on snap. Never used it wouldn’t be surprised if it comes up in the next weeks and months.

1 Like

I researched deeper into the security issues and it appears that most issues were with MacOS, as @MichaelTunnell stated.

Privacy is another conversation.

Thanks for all the input, this was very helpful.

1 Like

Cryptograhpic flaws in Zoom have been discovered:

“… Zoom protects video and audio content using a home-grown encryption scheme”

" Zoom’s Chief Product Officer Oded Gal … apologized on behalf of the company “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.”

" A security white paper from the company claims that Zoom meetings are protected using 256-bit AES keys, but the Citizen Lab researchers confirmed the keys in use are actually only 128-bit."

“Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook, or ECB, mode, … ECB is considered the worst of AES’s available modes.”

So to answer the OP, NO, @Mr_McBride

Bruce Schneier also gave a similar, scathing analysis.

Note: I wrote a guide to installing Mattermost Team Server 5.21 on a Raspberry Pi 4, for those who would like a cheap, on-prem WhatsApp-like chat server. It’s decently performant, on Ubuntu 18.04.4, or 19.10, 64-bit.

You won’t get video or audio calls, but if text-based chat (with Slack-like “channels”, file/image attachments, emojis, reactions, flagging, pinning, etc), with good mobile support (better than a Discourse experience), and push notifications interests you, then here’s my guide.

1 Like

I’ve always wanted to use Jitsi but have never had good luck with jitsi.meet. I decided to experiment with setting up my own instance of Jitsi on a DigitalOcean droplet. It’s up and running and it seems to be working alright. I’m going to use it more this week and see how it goes.

4 Likes

I’ve never used Jitsi I’ve heard of it . The second question is can this be hosted on someone main rig? Instead of doing DO? That would be the way I would go about doing this .

Yes but you have to do some slight modification to account for NAT. This video takes you through the whole setup process, including adding authentication so the server isn’t wide open (which it is by default).

4 Likes

That was a very good video.

Any indication of how many resources the jitsi server uses when having a conference with 5-10 people?

1 Like

I had 6 on to test and a $5 droplet seemed to be handling it well. I am going to use it this week for streaming so I can let you know how it goes with more people.

2 Likes

I would say 6 people on Jitsi Meet is actually an impressive number. With Nextcloud Talk, it’s dodgy at 3 ppl, and 4 is like right out.

We were testing last night and had close to 10 concurrent sessions and the server seemed to handle it. It was eating bandwidth though which could be a problem on a cloud host. If it were for a business then no big deal. Allocate more resources and you have a solid self-hosted solution.

So this is coming up in my family right now, my mother’s Zumba classes are moving online. Since I obviously can’t insert myself into their business and they have set up to use Zoom, what can I do on my end to “secure Zoom.” Is there a blacklist for pi-hole to keep telemetry in check? Should I have her run it in a VM?

I guess what I’m asking, aside from and up to “don’t use it,” is what are the current best possible practices for using Zoom?

I follow a cybersecurity expert and got this today. It might be the most poignant statement I have seen about Zoom’s recent history. From Daniel Miessler:

2 Likes

Well, that’s a whole lot of nothing right there. Not surprised since it’s coming from PR.

Let’s just stick to the facts. Zoom has had several CVE’s since 2017 and has recently had two zero days. One only needs to focus on that to understand whether or not they want to use Zoom and if so, what they will be risking. Not all of the vulns apply to everyone. Some of them are platform specific.

1 Like

no ideal but not a automatic deal breaker

This is not to say End-to-End isnt an option, its because not all scenarios can be encrypted. For example, if your Zoom room allows for people to join via phone call, well that is impossible to encrypt on both sides, maybe even on either side so if this happens there is no way to offer End to End. However, if all participants use one of the clients to connect then it is possible to have End to End.

That’s the only reason people use Zoom though :slight_smile:


I have had issues with their service as well and it seems that self-hosted instances are better overall than the demo version but it is still very very limited in features and reliability. Ryan and I tested it tonight and sadly it’s not really even close to a solution for our needs. It is pretty cool and would likely be totally fine for a LOT of uses, especially rooms where everyone who joins is meant to be involved the whole time.

This is a very VERY interesting perspective and I agree in many aspects.

I am not sure what you mean. If you are talking about the statement Eric shared then I am even more confused. The statement was made by an independent cybersecurity person. Please clarify.

Ok, well that sounds like cherry picking because with further context the narrative changes. Zoom has had multiple CVEs in the past and they pay for them with a Bug Bounty program and addresses them very quickly when found. Most of the issues are fixed with in days or a couple of weeks which is moving pretty fast. Zoom also committed to improving their Bug Bounties program further.

The (2) Zero Days that happened both require local/physical access to a users computer to exploit the vulns. This is not a dire problem so just say “2 zero days” has much worse implications than “2 zero days that won’t affect you without your attacker being quarantined with you” . . . or something like that.

1 Like