X

Zoom rolls out end-to-end encryption for all users

Phase one of Zoom's four-step encryption plan is live. Here are the must-knows about its security trial balloon.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
See full bio
Rae Hodge
3 min read
zoom-logo-laptop-9779
Angela Lang/CNET

Whether you're using a free or paid Zoom account, you'll now be able to get your first look at the videoconferencing giant's new end-to-end encryption (E2EE) feature as the company rolls out the first phase of a four-step security plan. The E2EE feature is available as a technical preview both for those who join and those who host sessions with up to 200 participants, Zoom said Monday. The company is actively seeking feedback from users for the first 30 days after the feature's launch. Zoom also unveiled a new events platform, called OnZoom, and apps within Zoom called Zapps. 

In May, Zoom CEO Eric Yuan said the company would offer end-to-end encryption to all users, despite previously saying the feature would be a premium one, for paying customers only. As a massive surge in users at the onset of the coronavirus pandemic drove more people working from home toward the videoconferencing software, the increased public focus revealed several Zoom security problems, and the fact that an earlier Zoom claim of end-to-end encryption was baseless.

"End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world. This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people," Yuan said in a previous blog post

On Monday, the company said E2EE is available on Zoom desktop client version 5.4.0 for Mac and PC, the Zoom Android app, and Zoom Rooms, with the Zoom iOS app pending Apple App Store approval.

Read more: Zoom security issues: Zoom buys security company, aims for end-to-end encryption

Under the hood

Though Zoom meetings already have some level of encryption, that process usually happens when Zoom's own servers generate encryption keys and distribute them to meeting participants via the Zoom app. All your information sent through Zoom's app during those meetings -- all the audio, video and in-app functions -- is then protected by default with standard AES-256 encryption. That information isn't decrypted until it reaches your recipient. 

Sounds good, right? It is, except that the encryption keys to your information are normally created and managed by Zoom's servers, which is a security liability. To improve on that flaw, Zoom's new E2EE feature takes a hands-off approach to your encryption keys by using public cryptography. So when you host a meeting and enable Zoom's E2EE feature, your meeting's encryption keys are generated by your own machine -- not Zoom's servers -- and sent to your meeting's participants. Since Zoom's servers don't have the keys to unlock the secrets of your message, theoretically they have no way to decipher the content of your meetings. 

The limits of E2EE

Zoom said there are limits to the new E2EE features' compatibility with the rest of Zoom's functions.

"Enabling this version of Zoom's E2EE in your meetings disables certain features, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions," Yuan said. 

He added, however, that Zoom plans to roll out further improvements in 2021. 

How to enable encryption in Zoom

If you want to host a meeting with E2EE enabled, you've got options. Once the feature is live, account administrators will be able to make E2EE mandatory for anyone joining a meeting, and they'll be able to change that setting at the user, group or even entire account level. Free-level Zoom users enabling E2EE will be prompted the first time to go through a form of two-factor authentication, which may include verifying a phone number via text message. 

zoom-security-verification.png
Zoom

If you're invited to a meeting as a participant, you'll be able to tell whether you're in an E2EE meeting by checking the upper left corner of your screen for a green shield logo -- similar to Zoom's current encryption symbol -- that will now have a padlock icon in its center instead of a checkmark. The meeting host or leader will also have a hand in verifying that your meeting is secure. You'll be able to see your host's security code, and the host can read the code on her or his screen aloud so you can make sure it matches the code you're seeing. 

To give Zoom your take on its E2EE feature, you can submit feedback directly through the Zoom client, navigating to Settings and selecting Feedback.

For more, check out how to become a Zoom pro and how to change your background in Zoom.

Watch this: From security to wallpaper, tips to make Zoom calls go smoother

Mobile Guides

Phones
Foldable Phones
Headphones
Mobile Accessories
Smartwatches
Wireless Plans
Mobile coupons