After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops

No dog-eared National Geographic for those left in the virtual waiting room

31 Reg comments Got Tips?

Zoom's ongoing game of whack-a-mole with security bugs in its code continued today with the imminent emission of version 5, replete with support for 256-bit AES-GCM encryption.

It's the latest in the video-conferencing software maker's 90-day plan to overhaul its platform's dodgy security after a hellish few weeks at the hands of security researchers, privacy activists, and journalists. As hundreds of millions of netizens, forced to stay home and work remotely if possible amid the coronavirus pandemic, flocked to Zoom's chat products, its code fell under intense scrutiny. Various shortcomings were found – from end-to-end encryption that didn't exist to wobbly password protection on calls.

The encryption upgrade in Zoom 5.0 will better protect data in transit – it previously used AES-ECB, which leaked video frames to eavesdroppers. "System-wide account enablement will take place on May 30," Zoom's Colleen Rodriguez said of this improvement.

In addition to the encryption, Zoom will allow account admins to select which of its data centers can handle users' data, after some of Zoom's servers in China ended up handling calls from outside China. So now you'll be able to choose which region of the world your chats can flow through.

However, it is with the user experience where Zoom may start to come a little unstuck as it ramps up security by making its platform, frankly, a little harder to use. One of the contributing factors to its success was the frictionless way in which netizens were able to connect, at the unfortunate cost of iffy security.

Google, photo by lightpoet via Shutterstock

Don't Zoom off elsewhere: Google plugs video-chat service Meet into Gmail as user eyes start wandering

READ MORE

Witness the Zoom-bombing phenomenon, made possible by brute-forcing IDs for password-less meetings, somehow bypassing the call passwords, or by scanning social media for shared access details.

To lock things down a little more, the Waiting Room feature, where participants are kept in individual virtual waiting rooms to be vetted by the host, will be on by default for basic, education and single-license Pro accounts. Meeting passwords, in theory already on for most customers, may have their complexity defined by administrators.

Your humble vulture has had personal experience of non-technical acquaintances struggling with the waiting room concept and there is a danger that by making the experience more secure, Zoom risks customers looking elsewhere for their face-to-face fix.

Other changes include a UI shift to group security features together as well as improved host controls to permit the meeting host to easily report users or disable the ability for participants to rename themselves. Passwords are also set by default for cloud recordings, and larger organisations will welcome the ability to link contacts across multiple accounts.

Breathless from its trumpeting, the company urges punters "to update your Zoom app to Zoom 5.0, please visit zoom.com/download".

We'd suggest holding fire a bit longer – at time of writing, only version 4.x was available. We've asked the company exactly when the wonders will be bestowed and will update when it responds. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020