Zoom Repairs Flaws and Improves Privacy

glennf · April 15, 2020, 2:14pm

Originally published at: https://tidbits.com/2020/04/15/zoom-repairs-flaws-and-improves-privacy/

Following several terrible, horrible, no good, very bad days for Zoom, with the disclosure of multiple security and privacy exploits and problems, the company has, instead of moving to Australia, fixed nearly every outstanding issue and even enhanced its interface. Will it be enough to restore trust?

silbey · April 15, 2020, 2:27pm

They have really been saying and doing the right things since the wave of criticism hit. Obviously, this needs to continue, but I’ve been impressed so far.

Simon · April 15, 2020, 3:08pm

Thank you, Glenn. Great news.

I like Zoom’s quality and ease of use (I do hope they eventually fix their broken GUI* though). If it can get its act together on governance and security/privacy I’d be very happy.The UC system uses them even though we are usually a Google shop these days and I personally hope we can continue to use Zoom. These changes sound like they could help make that happen.

[* things like forcing the pref window to float, no return/esc keyboard equivalent for OK/cancel buttons, non-Mac standard GUI behavior, etc. ]

aforkosh · April 15, 2020, 4:36pm

It also looks like they fixed the installation procedure for the Mac app. Previously, the app installed in the pre-flight phase of the procedure, bypassing several checks and installation options for the user. When I installed the current update, I got several windows letting me know the progress of the installation, allowing me to respecify the location where the app should be installed, and whether I wanted to install the app for the current user or all users on the machine.

The only minor annoyance is that after the updated app starts, it covers the window letting you know the the installation has been completed, so that you end up not seeing the notification that the installation is complete until you quit the app.

Simon · April 15, 2020, 4:41pm

I’m afraid this is consistent with the rest of the app’s GUI approach to floating panels. Same with prefs for example. It’s annoying and un-Mac-like.

glennf · April 15, 2020, 5:04pm

Yes, that was fixed within a few days of it being noted on Twitter. The CEO responded to the original poster on Twitter, even! It’s noted in our article from last week, as the fix was in before we published.

frans · April 15, 2020, 8:08pm

We suspect that Zoom will never be able to recover from its mistakes in the eyes of some people. For those who aren’t as adamantly opposed to the company, however, it does seem that the company is both saying the right things and working hard to move in the right direction

Where I live, we have a saying ‘Trust comes on foot and goes by horse’, so I think it is going to take quite some time. The company I work for has forbidden us to use Zoom. We’ll see when they change that directive. For now we can use Teams and Skype.

tidbits22 · April 18, 2020, 11:47pm

I wondered about installing it in a separate user in macOS. Is that significantly more snoop resistant to the kinds of things Zoom has done? I’ve been using it in iOS for that reason, but the small screen is a disadvantage.

glennf · April 20, 2020, 11:55pm

In its latest update, Zoom said it’s adding an abuse-reporting feature.

Setting to allow host to report participants to Zoom
Account owners and admins can now enable a setting to allow the host to report participants to Zoom. This feature will generate a report which will be sent to the Zoom Trust and Safety team to evaluate any misuse of the platform and block a user if necessary. This setting is available at the account, group, and user level and can be locked at the group or account level. This setting requires Zoom client version 4.6.12, which will be released on April 26, 2020.

paule · April 21, 2020, 2:30am

I’ve been quite impressed with Jitsi as an alternative solution to zoom, due to its (zoom’s) shoddy security and privacy (which they are fixing, but by bandaids rather than surgery).

Jitsi is open source, free, and has almost all of the features of zoom. I stress tested it against zoom on a multi-party call and found it to be more resilient than zoom in terms of handling network congestion. It has a neat YouTube video sharing feature too.

Downsides are it doesn’t behave well in safari (but works fine in Chrome), lacks the breakout rooms that zoom has, and scheduling meetings is a little fiddly (but a Chrome extension has fixed that).

Despite the work they have done, I won’t be going back to zoom.

richardlefko · April 21, 2020, 5:59pm

My company’s IT people, a defense contractor, have instructed us to NOT participate in any Zoom calls. We have technical data that needs to be controlled and have been told Zoom doesn’t cut it for us.

Rich

glennf · April 21, 2020, 6:23pm

This is totally fair. As I note in the original article, anyone with heightened security concerns needs to avoid Zoom, because it doesn’t have a model that’s robust enough to ensure protection. That is, it is very likely perfectly private to use, but it’s not effectively guaranteed to be 100% private. For personal and education users and most businesses, the difference isn’t meaningful. Steven Bellovin’s examination of the likelihood of interception and decryption is a good read on this.

But if you are in an industry in which there’s a mandate for government-grade security and protection, as you are, or in legal, financial, or medical fields, I don’t think Zoom meets the bar for that. It might be fine, but it hasn’t proven it well enough. As they fix their flaws and overhaul encryption, I expect they will then go through independent audit and certification, which will let them provide the sort of outside assurances needed for fields that require it.

glennf · April 21, 2020, 6:24pm

I don’t think there’s a risk on that side of things. There were flaws in previous versions (particularly the one fixed mid-2019) that created a risk to your device. More recently, the flaws are largely about meetings, servers, and stuff that happens within an app, as opposed to operating system related flaws. (The Windows link issue was an app thing that allowed a file exploit, so it was serious, but it required someone being able to chat with you or join a meeting; it didn’t leave a Windows machine vulnerable generally.)

richardlefko · April 21, 2020, 6:45pm

Hi Glenn: Yes, it was your original article that flagged me to this. I would say that anyone who wants a secure connection, should probably bypass zoom for now. For us, it means BIG fines and penalties, so we really need to avoid Zoom.

raykloss · April 21, 2020, 7:27pm

The hospital I work at is using VidyoConnect for seeing patients during the COVID pandemic. Some doctors here use Doximity, but I am hesitant to it as it seemed to have grown out of LinkedIn. Also, when I was signing up to verify my identity (after giving only my name and birthdate), it asked me the year of my car on the verification info. That seemed a bit too creepy to me. wasn’t sure how my financial info could be pulled from basic data, but caused me to back out of the sign up.

Not sure how secure they are, though they state they are HIPAA compliant.

tidbits22 · April 21, 2020, 9:58pm

Thank you Glenn. I was thinking about Zoom grabbing email info, but maybe that was another app.

ace · July 1, 2020, 5:46pm

Zoom has now posted a report on its security progress after 90 days.