What about security?

Best Practices Vergelijkingen 5 min read

A lot has been going on about security breaches at major videoconference provider Zoom. Why is Zoom targeted so extensively? Is it really such a pain or is it the "tall poppy syndrome”? And... how does Vectera compare?

First, there is a hard trade-off between providing the best user experience and making everything extremely secure. People prefer simplicity over complexity and the vast majority hardly cares about security until there really is an issue. That is what is happening today. For years, Zoom operated within this grey zone between UX & security. Zoom has a relatively simple user experience (although people still need to download desktop clients) and boldly claims that it is superior and different compared to others. Being different can be great. Thinking differently has long been the mantra of one of the most valuable companies in the world. But it makes you vulnerable when everyone moves in one direction, and you are left there, thinking differently.

What are the flaws and how is Vectera different?

1) Zoom bombing (partly fixed)

You can join any Zoom meeting by using a meeting ID if there is no password protection (which was the default). That is a serious flaw, but it is no different than for example Webex... You can use a meeting ID generator to access random Zoom meetings. Zoom meeting ID’s have 10 digits, meaning there are 10^10 = 10 billion combinations possible. If there are 100 million meetings active, you can find a meeting ID with a chance of 1/100... which is quite likely. Chances are low you'll find the meeting ID of the British prime minister, but it's certainly a problem. Meanwhile, passwords have been enabled by default.

Vectera works differently: you generate meeting rooms (I have hundreds) with a unique access link. First, an attacker would have to guess the unique access link that is actively being used. And while there is indeed a chance that someone can figure that out, I still have to be present in that specific meeting room to grant the attacker access. There is no way to access a Vectera meeting room with a password. The meeting host has to grant you explicit access. You could override the default security measures of Vectera and explicitly unlock all your meeting rooms but...why on earth would you do that?

Optionally, you can use Vectera with single-link access keys that have a minimum of 30 characters (characters, not digits). There are 36^30 = 48873677980689300000000000000000000000000000000 combinations. Even if you have 100 million meeting rooms that are all using a unique access key (which is optional), it will still be extremely hard to guess one (approx 1/ 1000000000000000000000000000000000000000)

It would take forever to guess a Vectera access key. The key/password is a dummy.

We can say with certainty that this process is superior and virtually impossible to penetrate.

2. Sending data to Facebook (fixed)

There have been reports about Zoom for iOS sending data to Facebook. While this seems fixed by now, it's just a very questionable company practice of using data this way.

The best way not to leak data is not having an app that is leaking data. Vectera is completely web-based, which means there is no need for an app, not even for iOS. Never say never, Vectera might create an app because it enables screen sharing from mobile but it is not foreseen in the near future.

Vectera uses Facebook too, for advertising purposes. When you visit Vectera, the Facebook pixel is used to show an occasional Vectera ad on Facebook. That's a common practice and this is implemented in our data and cookie policy.

3. Zoom desktop client is malware (partly fixed)

That's a bold statement and it's not coming from Zoom this time. In short, is it malware? No. The desktop app uses a few practices that are used on Mac to circumvent installation safety measures. These practices are frequently used by hackers and malware producers to install cryptolockers and other malware on computers. That was a trade-off between user experience (less clicks) versus safety. This decision clearly backfired.

Another risk with desktop installations are Zoom-look-a-like installation packages. These "borrow" the identity of Zoom and pack malware into a genuine Zoom meeting request. After installing, nothing happens but in the background these malware processes start running. Some people got creative and bundled a cryptocurrency miner in the Zoom app. Unfortunately, this cat-and-mouse game of Zoom vs pirates cannot be fixed completely.

Real or fake? Pic source: https://www.pcrisk.com/removal-guides/17455-zoom-virus

Vectera does not work with local desktop clients. While we cannot rule out that someone creates a fake package of Vectera (or any of the other meeting providers), it is far less likely to succeed because Vectera is (at the moment) a niche player and Vectera does not require installations.

4. It's not encrypted (not fixed)

Video, audio AND (often neglected) screen sharing streams should be encrypted to prevent eavesdropping. Some researchers found out that statements around Zoom’s encryption were just false: Zoom is not using AES 256-bit encryption but the weaker variant AES128-bit. Furthermore, there were multiple vulnerabilities showcased in the process. There actually is a problem and it is not an easy one to fix.

Vectera works differently: it uses the industry-standard WebRTC protocol and sends streams peer-2-peer. All these streams are encrypted by default. Vectera uses a server to arrange the "handshake" to connect all relevant parties in a conversation, but after that all audio and video streams are sent directly from one meeting participant to another. In some cases the streams need to pass TURN servers when firewalls block the transport, but this does not "open up" the encrypted streams. This process is fully end to end encrypted on Vectera.

This is ideal for one-on-one meetings and small group meetings with up to 4-6 people. When meeting with more people, you need media servers to ramp up the amount of participants. When you meet with 50 people, your computer is not capable of sending 49 audio and video streams while receiving another 49 audio and video streams. These streams should be "mixed" together into one stream.

The transport to the media server is encrypted, the media server itself "opens" the streams, combines them together (mixing), and forwards the combined stream to the end receiver, again encrypted. There are ways to channel encrypted streams in group conversations but there is only limited use in practice. Because there is hardly transparency on this process at Zoom it’s hard to tell if what is really happening for any size of meetings, including small group conversations.

In short, large group meetings will likely not be E2E encrypted, whichever service you are using. Trust Vectera for small group meetings, they are E2E encrypted.

Conclusion

Security is important and a big responsibility lies with the technology provider. You can rely on Vectera and the end to end encrypted calls for 1-on-1’s and small group meetings. Questions or suggestions? Let us know.

Bonus: Is Zoom's performance superior?

Spoiler: it's not. At least for small group meetings.

video meeting quality video meeting