7.12.1 Areas to Improve

While E2E meetings offer strong security properties to Zoom users, there are still opportunities for improvement, both in the key agreement layer and in the identity layer. Meddler-in-the-Middle. The meeting leader security code and IDP attestations are countermeasures for the classic MitM attack, wherein Bob isn’t actually connecting to Zoom; he’s connecting to Eve who is proxying his communications. Both solutions have limitations: they can be defeated by deep fake technology, introduce some UX friction, or require additional trust assumptions. Sigchain-backed identities (Section 7.11) and the ZTT (Section 4) will further improve the security properties and UX. Anonymous Eavesdropper. An adversary, in conjunction with a malicious Zoom server, types in a name of their choosing, turns off video, mutes their microphone and just observes. Checking security codes and cryptographic identity can help address this problem partially.

Impersonation Attacks Within the Meeting. Even if Alice and Bob are both authorized to be in the meeting, if Alice has the help of a malicious server, she can inject audio/video for Bob. Charlie would have no way of knowing that Bob’s stream was being faked.