6.3 Emails to and from External Users

Zoom Mail Service users may send or receive emails from external users who aren’t using the same platform. Such emails cannot be E2E-encrypted, as this encryption is not compatible with external mail providers; the server must see the email contents while receiving from or sending to external email providers using standard protocols. We nevertheless wish to provide the strongest feasible security guarantees. When Zoom Mail Service servers receive emails from external users, they follow essentially the same procedure as a Zoom Mail Service sender to encrypt the email for each recipient’s most recent PUK, except that they omit the sender public signing key and corresponding signatures, as previously described. After encryption, any plaintext copies of the incoming email are deleted in order to prevent later memory compromise from violating email confidentiality. When sending an email that includes external recipients, clients flag the email as not E2EE and share a decryption key with the server, as described earlier. The server uses this key to decrypt the email and relay it to the external recipient using standard email protocols. We also offer password-protected (sometimes called “expiring” or “access restricted”) emails as a more secure option when emailing external recipients. The client freshly samples a high-entropy key (which we call a password), then creates an additional recipient box by encrypting the shared symmetric key for that password. Both the ciphertext and the password are sent to the server. In lieu of the plaintext email contents, Zoom Mail Service sends a link to a Zoom-hosted web page to the recipient. The fragment12 component of the link contains both the password and the recipient-associated digest (Section 6.1). After sending the email to the recipient, Zoom Mail Service erases the password from its memory and storage. When the recipient’s browser visits the link, the JavaScript on the web page validates the provided ciphertext against the recipient-associated digest, then decrypts the email clientside using the password. Neither the password nor the plaintext email contents are sent back to the Zoom servers. Additionally, senders set an expiration time after which password-protected emails are automatically deleted by the Zoom server. Password-protected emails offer several security benefits. The recipient’s (and any intermediate) email servers never process email contents directly, limiting exposure, and all requests to visit the link can be logged by Zoom. If the Zoom server’s storage is compromised after it sends such an email and deletes the password, the email ciphertext remains undecryptable. This does not rule out an active attack where a compromised server waits for the recipient to visit the link and serves them malicious JavaScript to obtain the password. However, this attack could only happen before the email expires and the ciphertext itself is deleted. We consider this an acceptable tradeoff given the convenience it provides to the recipient, who is not required to install additional software.