After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops

No dog-eared National Geographic for those left in the virtual waiting room


Zoom's ongoing game of whack-a-mole with security bugs in its code continued today with the imminent emission of version 5, replete with support for 256-bit AES-GCM encryption.

It's the latest in the video-conferencing software maker's 90-day plan to overhaul its platform's dodgy security after a hellish few weeks at the hands of security researchers, privacy activists, and journalists. As hundreds of millions of netizens, forced to stay home and work remotely if possible amid the coronavirus pandemic, flocked to Zoom's chat products, its code fell under intense scrutiny. Various shortcomings were found – from end-to-end encryption that didn't exist to wobbly password protection on calls.

The encryption upgrade in Zoom 5.0 will better protect data in transit – it previously used AES-ECB, which leaked video frames to eavesdroppers. "System-wide account enablement will take place on May 30," Zoom's Colleen Rodriguez said of this improvement.

In addition to the encryption, Zoom will allow account admins to select which of its data centers can handle users' data, after some of Zoom's servers in China ended up handling calls from outside China. So now you'll be able to choose which region of the world your chats can flow through.

However, it is with the user experience where Zoom may start to come a little unstuck as it ramps up security by making its platform, frankly, a little harder to use. One of the contributing factors to its success was the frictionless way in which netizens were able to connect, at the unfortunate cost of iffy security.

Google, photo by lightpoet via Shutterstock

Don't Zoom off elsewhere: Google plugs video-chat service Meet into Gmail as user eyes start wandering

READ MORE

Witness the Zoom-bombing phenomenon, made possible by brute-forcing IDs for password-less meetings, somehow bypassing the call passwords, or by scanning social media for shared access details.

To lock things down a little more, the Waiting Room feature, where participants are kept in individual virtual waiting rooms to be vetted by the host, will be on by default for basic, education and single-license Pro accounts. Meeting passwords, in theory already on for most customers, may have their complexity defined by administrators.

Your humble vulture has had personal experience of non-technical acquaintances struggling with the waiting room concept and there is a danger that by making the experience more secure, Zoom risks customers looking elsewhere for their face-to-face fix.

Other changes include a UI shift to group security features together as well as improved host controls to permit the meeting host to easily report users or disable the ability for participants to rename themselves. Passwords are also set by default for cloud recordings, and larger organisations will welcome the ability to link contacts across multiple accounts.

Breathless from its trumpeting, the company urges punters "to update your Zoom app to Zoom 5.0, please visit zoom.com/download".

We'd suggest holding fire a bit longer – at time of writing, only version 4.x was available. We've asked the company exactly when the wonders will be bestowed and will update when it responds. ®


Keep Reading

Oracle and AWS trumpeted how their clouds helped Zoom scale. But it turns out Zoom fears its cloud bills and uses co-located kit

Zooming also needs some Azure and costs so much to run the biz is selling $1.5bn more shares

Six months after Oracle trumpeted Zoom as a cloud customer, AWS says it is Zoom’s ‘preferred’ cloud

Big Red said it was picked for its 'superior' cloud, but marketing minutiae and conference-eve thunder stealing have intruded

China and Taiwan aren't great friends. Zoom sends chats through China. So Taiwan has banned Zoom

Government and local business told to buy local, but slum it with Google or Microsoft if you must

Remember when Zoom was rumbled for lousy crypto? Six months later it says end-to-end is ready

But it’s a tech preview and requires opt-in for every meeting

Zoom-er or later, your past catches up with you: Vid chat service hit by sueball over end-to-end encryption claim

US consumer nonprofit alleges it was false advertising

Zoom records another bumper quarter as pandemic rumbles on, but Wall Street types quiz execs on how long it can last

Though COVID-19 vaccine coming, video chat is here to stay, claims chief bean counter

India says 'Zoom is a not a safe platform' and bans government users

Holey vid chat service reveals 're-architect' of bug bounty program to 'get overall security house in order'

Oh dear, what a pity! It seems you can't join the directors at the Zoom meeting today

Not great news for students going back to school, however

Biting the hand that feeds IT © 1998–2021