Follow

Zoom meetings aren’t actually end-to-end encrypted, despite misleading marketing on their website, in their security white paper, and in the user interface in their app theintercept.com/2020/03/31/zo by @yaelwrites and myself

@ln4711 @micahflee
The end is under your control. Makes a difference ...

@ps
Oh yes! I was being snarky. Seems like what they're trying to fool people into believing is that *their* point is as good as yours. Utter bullshit.
@micahflee

@ln4711
agreed: all endpoints are equal ... some are more equal, however

@micahflee

@micahflee @yaelwrites zoom works with 10+ simultanous video streams because it uses Multipoint Control Unit (MCU) so by definition it needs to access all video streams (to remix and efficiently redistribute them); jitsi uses SFU so it is E2E encrypted, but as more and more participants join the bandwidth is all taken medium.com/linagora-engineerin

@paolog @micahflee @yaelwrites jitsu meet (which is based on webrtc) is not encrypted tho

@charlag @paolog @micahflee @yaelwrites

neither is Zoom, so it's impossible to tell which is better. there we go

@solder_on @paolog @micahflee @yaelwrites wtf is that. Is this aggressive irony or is it genuine hot take

@charlag @paolog @micahflee @yaelwrites

more like passive aggressive irony I guess? but it's not about you and it's by no means informed about either shitty* codebase

* all code is shit, b/c Sturgeon's Law and rounding up to 100%

@charlag @micahflee @yaelwrites thanks for the correction; according to the devs jitsi meet is not E2E encrypted except for 1:1 videconfs with p2p mode on github.com/jitsi/jitsi-meet/wi

@paolog @micahflee @yaelwrites I was trying to figure out if calls in Jami are e2e or not but they're kinda vague about that

@paolog @micahflee @yaelwrites False, jitsi is not E2E encrypted for anything but 1-on-1 conversations.

@paolog @micahflee @yaelwrites Thanks for the link, that part of the thread was not federated to my instance.

@micahflee @yaelwrites Speaking as a cybersecurity student...

*rages internally more than they already were*

@micahflee @yaelwrites What e2ee video/audio platforms actually exist, and are accessible, though?

What is our better option?

@yaelwrites @eryn @micahflee Jitsi supports E2EE for 1-on-1 conversations. Hard to determine whether meet.jit.si uses that config, but it's a bit of a red herring anyway, as self-hosted services provide much better guarantees than any third-party (proprietary) service claiming E2EE ever could.

@micahflee @yaelwrites Group video cannot be end-to-end encrypted if you don't want to transfer every stream from everyone to everyone. The server will have to decrypt and remix it. That's also the way Jitsi works. But it's encrypted during transport.

@kaffeeringe @micahflee @yaelwrites Why can’t the server just redistribute the raw stream (which uses symmetric encryption, with a key shared securely at the start of the call)?

@melgu @kaffeeringe @micahflee @yaelwrites Bandwidth problems! And also your PC has to decrypt all streams live.

@linos @kaffeeringe @micahflee @yaelwrites That shouldn’t be an issue. I mean you can easily download stuff with an iPhone at Gigabit speeds, which also has to be decrypted if it comes via HTTPS, so it’s not a problem for any somewhat modern computer.

FaceTime allows big group calls and it is E2E encrypted, so there must be a way.

@melgu @kaffeeringe @micahflee @yaelwrites On a recent fancy macbook pro notebook for sure. But many have old computers, with no modern hardware accelerated video decoding processors. In my area most people have an 12Mbit connection shared by four people.

@linos @kaffeeringe @micahflee @yaelwrites Like I said, most PCs support Gigabit Downloads (which inherently requires decrypting data at that speed). So it’s not a stretch to assume they can decrypt an at most 2-3 Mbit Stream (total) which uses symmetric encryption.

@melgu @kaffeeringe @micahflee @yaelwrites Decrypt it true, but not decode 10+ video streams at once, not in a browser.

@linos @kaffeeringe @micahflee @yaelwrites With each of them only being at a small resolution, the overall pixel count is manageable.

@melgu @kaffeeringe @micahflee @yaelwrites Just made a little test: When I play six moderate compressed 480p videos in one local html5 document, it uses 70% of my CPU. Its a Intel Core2Duo P8800 Firefox on Arch Linux.

@linos @kaffeeringe @micahflee @yaelwrites So a total resolution of 1080p is fine. You just have to divide that between participants.

@melgu @linos @kaffeeringe @micahflee @yaelwrites The amount of video rendering required doesn’t noticeably change if you decode eight 0.5 Mbit videos vs one 4 Mbit video.

@linos @kaffeeringe @micahflee @yaelwrites Why not? The bitrate stays the same. And the GPU shouldn't care, where to take the pixels from.

@melgu @linos @kaffeeringe @yaelwrites something I've been thinking about is, why does the server need to do the mixing? Why can't the meeting host get video from all participants, mix them, and send them back? This way there would only be N video streams instead of N**2

@kaffeeringe @melgu @linos @yaelwrites well there would still probably need to be a server, to facilitate everyone connecting to the meeting, and to start P2P connections between the participants and the host

@micahflee @kaffeeringe @melgu @linos @yaelwrites Please explain to me what is the categorical difference between a "host" and a "server" in this context?

@kekcoin @kaffeeringe @melgu @linos @yaelwrites a "host" is the meeting participant who starts the meeting. a "server" is the server, not a meeting participant

@micahflee @kaffeeringe @melgu @linos @yaelwrites I guess I would see the "host" as another (ad-hoc) "server" in that setup (being the server for the videoconference itself, whereas what you call the server simply hosts the software and potentially serves as a STUN server).

I certainly wouldn't consider it P2P, though I also see how it has some advantages over a traditional model where there is only one server (mostly privacy-related).

@micahflee @linos @kaffeeringe @yaelwrites I also thought about that. So basically company / self hosting. In that case, it wouldn’t matter as much that the server can see all the video.

@kaffeeringe @micahflee @linos @yaelwrites If you’re talking about business stuff only, then you always have to trust the admin of your employer.

For more private stuff you could host yourself (or someone you trust), if my proposed P2P solution isn’t an option.

@kaffeeringe
@micahflee @yaelwrites
No, it's not. Selective forwarders can work on e2e encrypted traffic.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!