2 min read

Zoom Fixes Issues with Traffic Routed through Chinese Servers, Promises Better Encryption

Silviu STAHIE

April 07, 2020

Zoom Fixes Issues with Traffic Routed through Chinese Servers, Promises Better Encryption

An investigation by Citizen Lab underlined a few security issues of teleconferencing application Zoom, on all platforms, and the company was quick to promise sweeping changes that would make Zoom more secure and transparent.

Two major issues were brought up by Citizen Lab, one related to traffic between Zoom participants being rerouted through Chinese servers, and another about end-to-end encryption that doesn”t follow industry standards.

A non-technological issue was also brought up by the investigation. It turns out that much of the research and development of the app takes place in China, even though most of the revenue comes from the United States and Zoom is an American company. It would technically open the company to pressure from Chinese authorities.

Eric Yuan, CEO and founder of Zoom, has answers to a couple of technical issues but made no mention of the large team of developers working out of China.

First, it turns out that Zoom uses a geofencing feature that ensures traffic between participants outside of China is not routed through Chinese servers. In reverse, traffic inside China uses only servers in China.

After the application saw a surge in usage as the COVID-19 pandemic started to spread, the company added new servers to cope with the demand, and mistakenly added a couple of Chinese servers on a whitelist. The two servers were quickly removed after the Citizen Lab report came out.

The second problem relates to the end-to-end encryption theoretically used by the app. It turns out that, while Zoom uses the term end-to-end encryption, it”s not actually referring to the industry standard.

Citizen Lab states that the encryption used by Zoom could allow the company to build tools and eavesdrop on conversations or even record them. The company said that they have no such tools and they are working to enhance protection, with the help of the community.

“Due to the unique needs of our platform, our goal is to utilize encryption best practices to provide maximum security, while also covering the large range of use cases that we support,” said Zoom”s CEO.

“We are working with outside experts and will also solicit feedback from our community to ensure it is optimized for our platform.”

Following a flurry of Zoom security problems the past month, including leaking data to Facebook through the SDK, or bypassing macOS protections to install the client without admin rights, Eric Yuan said that implementation of new features was halted for 90 days and the teams are focusing solely on security fixes.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches
Silviu STAHIE

September 17, 2021

1 min read
Owner of DDoS-as-a-service Websites Found Guilty, Faces up to 35 Years in Prison Owner of DDoS-as-a-service Websites Found Guilty, Faces up to 35 Years in Prison
Silviu STAHIE

September 17, 2021

1 min read
Do Mobile Security Solutions Really Work or Are They a Scam? Do Mobile Security Solutions Really Work or Are They a Scam?
Filip TRUȚĂ

September 17, 2021

2 min read