Zoom continues its catch-up security sprint with new training, bug bounty tweaks and promise of crypto playbook

Sigh. How many users did it have before it started this stuff?

6 Reg comments Got Tips?

Zoom has outlined more about its efforts to improve its security.

For starters, secure coding environment provider Secure Code Warrior (motto: Secure your code, from the start) has announced its been hired to implement its wares at the video chat company.

You may recall that Zoom’s end-to-end encryption was found not to be end-to-end and not to use very strong encryption. A fix is not in sight as the company has also announced that it will publish a “detailed draft cryptographic design for our end-to-end encryption offering” on Friday May 22nd. Which is the Friday before a long weekend in the USA and UK, timing that could backfire with plenty of techies in lockdown but which also looks like take-out-the-trash time.

Lastly the company has blogged that it is “soliciting feedback” on tweaks to its bug bounty program.

Not all of Zoom’s security improvements remain on its to-do list: the company has released a new version 5.0 client that added AES 256-bit GCM encryption. Come May 30th only Zoom 5.0 clients will be able to join meetings, so that’s a nice improvement.

All of which is grand until one remembers that Zoom had around ten million daily meeting participants in late 2019, before the COVID-19 pandemic spiked numbers to around 200 million a day in March and around 300 million a day by April. And all those meetings took place without the security improvements mentioned above. ®

Biting the hand that feeds IT © 1998–2020