Security Week 24: Zoom and Brave browser privacy

Last week brought a couple of interesting news on the privacy of our data. In both cases, the secret of negotiations and user activity in the browser was discussed in a subjective manner. Such discussions are not very constructive in essence – someone says: “It seems to me that we should do this”, others reply: “But we don’t think so”. Such conversations can go on ad infinitum, and, unfortunately, it is not always possible to agree even on some simple things.

Case study: Zoom CEO Eric Yuang announced on a quarterly call with investors (news, discussion on Habr) about imminent implementation of end-to-end encryption system for video calls. And then he added that such a technology, unlike existing, less stable methods, will be available only to those who pay for the services of the company.

Alex Stamos, a former Facebook info section manager recently hired by Zoom as a security consultant, substantiated such a decision on Twitter. In short: in theory, end-to-end encryption makes negotiations inaccessible to everyone who does not participate in the call, including the service provider itself, government agencies, competitors and ordinary lovers to break into someone else’s, poorly protected conversation. Since the abuse of the teleconference service occurs mainly among free users, introducing more serious protection is premature for them: otherwise it will be difficult to deal with those who use Zoom for illegal purposes.

At the same time, it is technically possible to audit encrypted calls, weakening the protection, for example, by creating a ring buffer that stores the last couple of minutes of negotiations: if the participants in the call mark the discussion as illegal, the decrypted buffer will be sent to the moderators exactly at this point in the conversation. Zoom decided not to do so, which was the reason for the heated discussion.

We wrote about the situation with the protection of teleconferences in Zoom in the April digest. The current conversation encryption system is not end-to-end, and the algorithms used give an idea of ​​what is happening in the video stream, even without hacking. Alex Stamos also identified other problems: for example, what to do if someone wants to connect to a call from a mobile phone, and not through a proprietary application? In this case, the sound must be decrypted before broadcasting via conventional communication channels. In other words, the introduction of end-to-end encryption, which was promised after many cases of leakage of confidential negotiations, requires solving many technical problems. But the decision not to introduce more effective negotiation protection for free users is a business initiative, no matter how you explain it. Otherwise, the company may, for example, have claims from law enforcement agencies: you give the platform to criminals, and we cannot gain access to negotiations even by court order. Talk about privacy Zoom is not much different from the methods of protecting the data of smartphone owners and encryption of conversations in instant messengers.

Here begins the part “but we don’t think so.” Both Zoom and Stamos personally were criticized both in social networks and in mass media. If you remove the emotions, the question was discussed: is it possible to trade privacy? If we distract from Zoom and look at the big picture, it turns out that yes, quite, and everyone does it.
Apple is implementing effective data protection on its devices and touts it as an advantage. For those who care about the privacy of conversations, end-to-end encryption is an excuse to use specific messengers. In any case, the effect of a business decision will be measured in money: in the case of a paid web service, this will be an increase or decrease in revenue. But wait, the company’s commercial customers will get the maximum (at least in words) protection.

In general, it is normal if the business provides some features (including security) to those who are willing to pay for the service. In addition to subjective opinions on this subject, the only constructive reaction occurred on the part of the developers of the Signal open messenger. They announced the creation of a system of highly secure video calls.

Another discussion on a similar topic. On Saturday, June 6, a Twitter user noticed that the Brave browser adds a unique code to the URLs of some sites if you enter them in the address bar. A referral is added, for example, if you go to the Binance crypto-exchange website.

It’s clear why add the code: there is a partnership agreement between the browser developer and the owner of the resource, there is compensation for attracting the user, and for this you need to track the source. The problem is that Brave is promoted as a browser with an increased focus on privacy: it cuts banners, blocks code to track users, etc. In response to drama Brave co-founder of the development company reported a fixed error: the referral should not be added when typing a link in the address bar. But he will continue to work if the user is looking for the same cryptocurrency services and eventually goes to the partner’s site.

We will not even try to comment on who is doing the right thing in these two examples. In both cases, we are talking about different options for maintaining privacy, about trying to bring some kind of ideal concept for keeping secrets of negotiations or other user activity to real life. In which there are issues of combating crime and the requirements of the law. And, which more often affects the decisions of companies, the need to make a profit and give out salaries to employees.

What else happened:

Website BleepingComputer reports on the appearance of public exploit for vulnerabilities in the SMB protocol. It’s about vulnerability CVE-2020-0796closed by Microsoft developers in March this year.

Android Security Update for June closes two critical vulnerabilities. Meanwhile, The Register informs about a curious bug in Android that causes a cyclic reboot of the device if the user sets the “prepared” picture as wallpaper.

Kaspersky Lab Specialists are exploring malicious code created for systems not connected to the network. A real attack component called USBCulprit uses flash drives to exfiltrate data.

Very interesting report about a fun vulnerability in the GLPI IT process management system. The author of the study in practice encountered an unexpected scenario. GLPI creates tickets for the IT service from incoming email messages. If a letter contains a certain sequence of characters, when processing a ticket, the entire database of support calls is erased. The bug was also detected in a non-trivial way: after receiving a notification from the Haveibeenpwned service, in which the required sequence happened to be by accident.

Apple Developers released a patch covering a vulnerability that allowed hacking the latest versions of the iPhone. UnC0ver jailbreak tool exploiting vulnerability appeared in the public domain the week before last.

Similar Posts

Leave a Reply