[liberationtech] Zoom admitted, then denied, then admitted again that it censored an activist
Seth David Schoen
schoen at eff.org
Sun Jun 14 04:39:13 CEST 2020
Aaron van Meerten writes:
> I admit this part isn’t my focus, but my understanding is that the
> technology is called “Insertable Streams”. The basic idea is a
> hook within the WebRTC engine that allows media to be transformed
> after capture, but still delivers certain identifiers such as which
> packet contains a keyframe, or what volume levels to expect, while
> keep the media itself from being parseable by the server, only the end
> clients who have the key.
I hope someone (other than surveillance vendors) has thought through
whether any of the unencrypted metadata can leak something interesting.
E.g. profiling the compression patterns in order to get some kind of
statistics about the plaintext.
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/schuster
https://ieeexplore.ieee.org/abstract/document/4531143
https://ieeexplore.ieee.org/abstract/document/5958018
https://dl.acm.org/doi/abs/10.1145/3029806.3029821
Real-time video and audio compression with variable-rate codecs is
(like other uses of compression together with encryption) already pretty
risky. Adding more metadata about the streams might make it worse.
It might be good to ask the researchers on some of these and similar
papers whether the cleartext information that is still provided in this
WebRTC model is an eavesdropping risk.
> However, future iterations would definitely use something more
> sophisticated around confirming identity and possibly using algorithms
> similar to Signal for generating the keys.
I'm excited that you're working on that!
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the LT
mailing list