security

Why I Still Trust Zoom

I've been getting some questions at the office regarding Zoom's recent "Security and Privacy issues". I decided to put my thoughts on these issues down in writing here.

As of now we have not seen any issues with Zoom that would justify looking at other options. Zoom has responsibly reported issues, corrected them very quickly, and been open and transparent. We have configured our Zoom accounts to appropriately apply security settings so that our meetings are private and secure, we’ve also produced training documents for Staff on how to best use Zoom to ensure we are able to use it in a HIPAA compliant method.

One of the questions I received was about the article (https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/) is relating to Zoom’s use of a Software Development Kit(SDK) from Facebook, this isn’t software that was developed by Zoom but was linked to Zoom’s application on Apple iOS devices (iPhones and iPads) that allowed users to sign in using their Facebook accounts, because of the way Facebook engineered this SDK it allowed personal information to be sent back to Facebook. Zoom has since modified the way they handle logins to their systems when using Facebook to prevent this. Unfortunately, this same SDK is in use on many other iOS applications that have not been corrected, as well as hundreds of thousands of websites.

Many other Video Conferencing solutions have had similar issues recently, however since Zoom is the market leader in that area, they have been getting most of the press coverage. Many of issues reported recently, have been poorly reported or exaggerated by the media. Most of these reports are around consumers using Zoom for private/personal meetings, as Zoom was designed as business software. All the security issues that have been reported recently have been corrected, by Zoom, often in as little as a day. Several others were a result of issues with other company’s technology.

Tags

Lets Encrypt - Free Domain Verified certificates for everyone.

I've begun the process of moving all the sites I host to HTTPS. I was lucky enough to get a Beta Program invitation for the Let's Encrypt project. I used their ACME client to verify domain control and issue a certificate. I was impressed by how easy the process was. The project is scheduled to move into general availability in the middle of November 2015.

I've been participating in the community support section of the LetsEncrypt.org site for a few weeks now and have seen a few issues from people trying to issue certificates who were not "technical" people. While the ACME client can do many of the technical parts of the process, such as configuring Apache, verifying the domain, getting the certificates, and reconfigure Apache to use them, the process can be kind of intimidating. One of the first issue I saw was users trying to use the ACME client to get certificates for domains the own but host on shared hosting systems. Since the ACME client requires command line access, as of now, I don't see any reasonable way for these people to use an automated certificate issuance system.

After experimenting with the system I've come up with my best practices for issuing certificates, installing them, and serving them. I'll detail my process here.