Zoom, in a bid to provide end-to-end encryption to its paid users, is acquiring secure messaging and file-sharing company Keybase.
Keybase staff will essentially help Zoom build an end-to-end encryption system for the company’s video conferencing service, which will be available to paid users.
The acquisition, confirmed by both companies, occur weeks after Zoom admitted it actually wasn’t offering full encryption as previously advertised. The video conferencing service does encrypt your video sessions. However, the main flaw with Zoom’s system is how the encryption keys are generated and stored on the company’s servers. Although Zoom says it’s never mishandled the keys, by holding on to them, the company theoretically has the power to decrypt your video sessions, or transfer the keys to someone else, like a government authority.
To fix this, Zoom is creating an end-to-end system that will generate the encryption keys to video sessions from the meeting host’s computer — not from a company server. “This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees,” the company confirmed as part of a blog post announcing the new acquisition.
“The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.”
Building an encryption system isn’t easy though and that’s why Zoom thought it wise to bring Keybase into the picture. Keybase, a company that was founded in 2014 and is based out of New York, has been offering its own end-to-end encrypted chat system, which works on PCs and smartphones.
Unlike how regular end-to-end encryptions work, Zoom’s proposed end-to-end encryption does have a few limitations. For one, it won’t work for meeting sessions that let people connect via a phone call, or when Zoom’s cloud video recording is switched on. But the system should be applicable to most users, who are connecting via PC and mobile devices.
“We believe this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the choice of over 300 million daily meeting participants, including those at some of the world’s largest enterprises,” the company added.
Zoom plans on publishing more details about the end-to-end encryption implementation on 22nd May, with the goal of getting feedback from the security community and customers.