Zoom Acquires Keybase and Will Soon Introduce End-to-End Encryption

• Zoom will soon offer end-to-end encryption and cryptographic user IDs in its meeting rooms.
• The company acquired Keybase, so they can quickly incorporate its expertise into the teleconferencing solutions.
• Zoom says no backdoors will be built into the app, so there won’t be a way to monitor the meetings secretly.

For financially-strong companies, it often makes sense to acquire a smaller entity that has expertise in something the company is lacking instead of investing resources to develop in-house solutions. It’s easier, quicker, and places someone in a better market position since absorbing others is better than competing with them. In this context, Zoom has decided to acquire Keybase, a social networking service that specializes in end-to-end encryption and identity verification solutions. Keybase is a reliable tool, offering chat, cloud storage, and PGP key-based identity verification, and we even trust it with our tipster communications along with Signal.

Zoom has received a lot of criticism about its weak encryption lately, with people urging the company to finally implement “end-to-end” encryption. Right now, the audio and video content that flies between Zoom clients is encrypted and also decrypted on the spot using AES-128 with 256-bit keys. Recently, researchers figured that Zoom servers are sharing the same key to all meeting participants in ECB mode, which could make them guessable. Moreover, some of these keys were found to derive from Chinese-based servers, which raised additional security and data routing concerns.

All that will change soon, as Zoom promises to enhance their product’s security and finally incorporate end-to-end encryption on all content that is shared while teleconferencing on “Rooms” and “Phone.” However, this will be made available for paid accounts, so freeloaders will have to accept whatever security the platform has to offer them.

More technical details will be published on May 22, 2020, but for now, the software company states that each logged-in user will generate and send a Keybase-style cryptographic identity on Zoom’s network to help establish trust between the attendees. The meeting host will generate an ephemeral symmetric key for the meeting, and it will be distributed to the clients enveloped with the keypairs. These will be rotated every time something changes, like when a new member joins the room, for example.

As for the user privacy, Zoom assures that they will not proactively monitor meeting contents, but their reviewers will continue to use automatic abuse detection tools or investigate relevant user reports. Moreover, they clarified that no law-enforcement backdoors will be provided for interception purposes, so there would be no way to decrypt the network traffic. Finally, Zoom claims that they have no way to insert employees or others into meetings without this being made visible to the participants.