We had a *huge* advantage when designing this: Zoom already has the meeting contents traverse the servers encrypted. So what you’ll see in this paper is changing how Zoom does key management rather than a full-on design for a videoconferencing system.
-
Show this thread
-
Like I said when Zoom acquired Keybase: crypto is better with friends. The Keybase folks are amazing, as are
@alexstamos and@matthew_d_green.1 reply 4 retweets 111 likesShow this thread -
Also: please put your comments in the github because if we tried to use Twitter and HN as a project management tool it’s going to be excessively exciting.
1 reply 4 retweets 70 likesShow this thread -
Lea Kissner Retweeted Alex Stamos
@alexstamos has a better list of Twitter handles (and thanks to all of the other folks who were involved, including the external counsel who suggested we use the phrase "as contemplated herein" multiple times and I almost did it)https://twitter.com/alexstamos/status/1263896949712814080 …Lea Kissner added,
Alex StamosVerified account @alexstamosZoom has published an initial design and roadmap for deploying end-to-end encryption for hundreds of millions of meeting participants. Check it out and leave your comments here: https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf …Show this thread1 reply 0 retweets 34 likesShow this thread -
Replying to @LeaKissner @alexstamos
Coming in hot with my q's about the web client
https://github.com/zoom/zoom-e2e-whitepaper/issues/2 …2 replies 0 retweets 10 likes -
3 replies 0 retweets 9 likes
-
What’s the new hotness in protecting JS from being changed for one user?
6 replies 0 retweets 5 likes -
Replying to @alexstamos @sleevi_ and
My version of this question: what's the new hotness in protecting against any malicious dynamic code changes (including auto-updated code, which of course is a baseline security practice now), on any platform? E.g. is anyone really verifying Signal's reproducible builds...?
1 reply 4 retweets 16 likes -
Replying to @fugueish @alexstamos and
I don't really know what reproducible builds prove, that the build server wasn't compromised? If Signal were malicious, they could just add a bugdoor, so you still have to trust them not to be malicious.
3 replies 2 retweets 20 likes -
Reproducible builds prove that the code you’re reviewing is the code that is being distributed and nothing else. They’re generally only useful in situations where you both don’t trust the vendor at all but believe you can gain trust in the code base though code review.
3 replies 4 retweets 12 likes
Or where you have more trust in the author of the code than in the vendor who built and packaged it for you.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.