Is Zoom Secure?

Should you use Zoom or not?

There has been a lot of controversy & confusion about the security of online Zoom meetings. There have been security experts telling people to not use Zoom, and other tech experts saying they don’t know what all of the fuss is about and that it’s fine to use Zoom. I hope to summarize and clarify a few details about these these general recommendations in this post so that you can make a better informed decision. The source of information presented here comes from my own experience and online references included in this post.

TLDR; I will join Zoom meetings, but I won’t install their software. In my opinion Zoom as a company exhibits a pattern of behavior related to security that makes me not trust the software they produce. This may change in the future, but they’ll have to earn my trust back. In the meantime, there are many alternatives for online meetings from companies that have a history of handling security better than Zoom has.

If you want further reading on this topic, I strongly recommend you read this post by Bruce Schneier, Security and Privacy Implications of Zoom. I have only touched on a few points from his post.

Who has banned Zoom?

There are a number of organizations that have banned Zoom. Some of the companies include: Tesla, SpaceX, Daimler AG, Bank of America, Google (telling employees to use Google Duo instead), Ericsson AB, Smart Communications, and NXP Semiconductors.
Various school districts have also banned the use of Zoom, including New York City’s Dept of Education, Clark County Public Schools in Nevada, and Singapore as a whole.
Then you have the government agencies that have bans in place. This list includes NASA, government agencies in Taiwan, the German foreign ministry, the Australian Defense Force, and the U.S Department of Defense. The US Senate sergeant at arms has told lawmakers’ offices to avoid using Zoom . Even China started blocking Zoom last September.

History of (in)security at Zoom

Why so much fuss over it? Let’s take a look at Zoom’s record.
Uninstallable security hole

July 8, 2019 – Zoom allows a malicious website to enable your camera without permission.
This is when I decided I didn’t want to install Zoom software on any of my devices. In this case, your system was still vulnerable even after uninstalling Zoom. Apple stepped in and silently sent out a patch to fix Zoom’s problem.
March 20, 2020 – Zoombombing – where someone uninvited joins and disrupts your meeting
March 31, 2020 – Zoom doesn’t use end-to-end encryption even though they say it does
April 1, 2020 – It could be used to steal Windows login credentials.
April 2, 2020 – It secretly displayed data from people’s LinkedIn profiles.
April 3, 2020 – It appears that no one at the company has an adequate grasp of cryptography.

Zoom behaves similar to malware

Example #1: Incomplete uninstall process – Have you tried to uninstall malware before? It seems to never go away or cripple your system in the process of getting removed. (See July 28, 2019 above for details)
Example #2: Zoom makes it difficult to join a meeting without installing their software. Try joining a Zoom meeting in your browser. They do everything they can to get you to download and install Zoom before letting you join the meeting. Here is what you have to go through.

First you click on your meeting link and this comes up. Hey look, the only option is to “download & run Zoom”

After waiting for a few seconds, you get another prompt to “download & run Zoom” or “launch the meeting” (which means download & run Zoom)


Then, finally clicking on “click here” and waiting a few more seconds, you get a small link to “join from your browser” You’d think they don’t want you do do that!

Recommendations for using Zoom, if you must

  • Join Zoom meetings through the browser. Only install the Zoom software if necessary.
  • If you are hosting a meeting, set and distribute a password to those that will be attending. Don’t share meeting passwords in public spaces, such as social media.
  • Use a waiting room when possible to control who enters your meeting.

In Summary

Should you stop using Zoom completely? Unless you’re discussing state secrets or things that are extremely sensitive in your meetings, I don’t think that is necessary. But here are a few precautions that you can take:

I can hear some people saying, “All software has security holes, Zoom isn’t that bad.” It is true that all software has security holes. But if I have an alternate option that comes from a company with a proven security record, development process that includes security, and quickly patches holes when they’re found, I’ll choose that.

Here are a few alternatives to Zoom:

  • Google Meet (formerly Hangouts)
  • Microsoft Teams
  • Slack
  • Cisco Webex
  • GoToMeeting
  • Skype
  • Facetime
  • Signal
  • Discord
  • WhatsApp
  • Jitsi

References:

(June 15, 2020) Edit to add: On the surface, Zoom has been taking some actions that might improve their security. But they’re still not doing all they can. More info here.

How to configure your Postfix server to relay email through Amazon Simple Email Service (SES)

Amazon recently announced SMTP Support for the Amazon Simple Email Service (SES) which is very cool. Now you can configure your server to send email through it regardless of what platform your site is built in (my previous post was only relevant to PHP servers)  There are 3 main things you need to do to configure your Postfix server to relay email through SES: Verify a sender email address, create an IAM user for SMTP and configure your server to use SES.

Verify a sender email address

  1. In the SES section of the AWS Management Console, click on “Verified Senders”:
  2. Then click on the “Verify a New Sender” button:
  3. Enter the Sender’s Email Address and click “Submit”:
  4. Then you’ll see the confirmation message:
  5. Go to that email account and click on the link Amazon will email to you to confirm the address.

Create IAM Credentials

  1. In the SES section of the AWS Management Console, click on “SMTP Settings”:
  2. Click on the button “Create My SMTP Credentials”:
  3. Choose a User Name and click “Create”:
  4. Save the SMTP Username and SMTP Password that are displayed . We’ll need them when we’re configuring the server.

Configure the server

Now for the fun part. Here I assume you’re running Postfix as the MTA on your server.

  1. Install stunnel:
    apt-get install stunnel
  2. Add these lines to /etc/stunnel/stunnel.conf and make sure it starts properly (you may have to edit /etc/default/stunnel so that it starts automatically on boot):
    [smtp-tls-wrapper]
    accept = 127.0.0.1:1125
    client = yes
    connect = email-smtp.us-east-1.amazonaws.com:465
  3. Add this line to /etc/postfix/sender_dependent_relayhost:
    somesender@millcreeksys.com  127.0.0.1:1125
  4. Generate the hashfile with this command:
    postmap /etc/postfix/sender_dependent_relayhost
  5. Add this line to /etc/postfix/password:
    127.0.0.1:1125 <your SMTP Username>:<your SMTP Password>
  6. Fix the permissions on /etc/postfix/password
    chown root:root /etc/postfix/password
    chmod 600 /etc/postfix/password
  7. Generate the hashfile with this command:
    postmap /etc/postfix/password
  8. Add these lines to /etc/postfix/main.cf:
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent_relayhost
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/password
    smtp_sasl_security_options =
  9. Load the new configuration with this command:
    postfix reload

Additional Notes

After setting it up, look closely at the mail logs on your server to verify that they are being delivered properly.  As I found through testing, in certain misconfigurations your email will not be delivered and will not remain in the queue on the server.  The mail logs are the only place that will indicate that delivery is failing.

If you need to add other senders in the future, edit /etc/postfix/sender_dependent_relayhost accordingly then run:
postmap /etc/postfix/sender_dependent_relayhost
postfix reload

The reason for using sender_dependent_relayhost is because you want to specify what email gets sent through SES. If you try to send all email from the server through SES, you’ll probably have some end up going into a black hole. When I was testing this previous to using sender_dependent_relayhost, I didn’t have my root@ email address verified and so emails ended up bouncing back, then bouncing into oblivion never to be seen again (because it would try to relay email to root@ through SES too.)

http://www.millcreeksys.com/how-to-configure-your-postfix-server-to-relay-email-through-amazon-simple-email-service-ses/

Quick programming tip for servers behind load balancers

If you’re using PHP and wanting to check to make sure the incoming connections came over HTTPS, you are probably using the $_SERVER['HTTPS'] variable.

The problem is, if your servers are behind a load balancer which handles SSL encryption for you, this method of checking won’t work.  Fortunately, there are other headers added by the load balancer you can use to detect SSL.  They are the X-Forwarded-* headers.

For example:
$headers["X-Forwarded-For"] == 123.45.67.89 (because $_SERVER['REMOTE_ADDR'] is going to give you the load balancer’s IP address)
$headers["X-Forwarded-Port"] == 443
$headers["X-Forwarded-Proto"] == https

These headers should work with all loadbalancers, including Amazon’s ELB on EC2.

 

Get up and running quickly with Amazon SES on your php website


Note: if you want to setup SES in a way that scales much better and functions even with non-PHP sites, please read this more recent HowTo: How to configure your Postfix server to relay email through Amazon Simple Email Service (SES)


Here’s how you can start using Amazon’s new SES (Simple Email Service) without having to actually implement it in the php of your website:

  • Extract the files and create a new one named “aws-credentials” with your key data in it; for example:

AWSAccessKeyId=022QF06E7MXBSH9DHM02
AWSSecretKey=kWcrlUX5JEDGM/LtmEENI/aVmYvHNif5zB+d9+ct

  • Verify an email address to use with SES

./ses-verify-email-address.pl -k ./aws-credentials -v someaddress@yourdomain.com

  • Check the email account for the address you’re verifying and click on the provided link.
  • Send a test email:

echo "This is only a test." | ./ses-send-email.pl -k ./aws-credentials -s "test subject for email" -f someaddress@yourdomain.com someaddress@yourdomain.com
(Note – Until you receive production access to Amazon SES, you can only send to addresses you have verified. You can request production access here.)

  • Edit the sendmail_path config in your php.ini as follows:

sendmail_path = /path/to/ses-send-email.pl -k /path/to/aws-credentials -f someaddress@yourdomain.com -r

  • Restart/reload Apache and that’s it!

(Additional notes – The “From” address you set in your php.ini file will override any mail headers you set in php.  Sending will fail if you try to set the “From” header to an unverified address or when setting the “Reply-To” header at all in php.)


	

Update your website directly from your git repository

Here is a php script you can use to update your website from your git repository.  You can pass 2 parameters to it:

  • “r” – revision you want checked out from git (r=head works also)
  • “l” – number of log entries you want to view

For example, if I was running it on this site here is what each URL would do:

You need to make sure that the directory structure is owned by the HTTP daemon user (so that the files can be updated.)  It is best to run it initially from the command line as that user on the server to make sure everything is working properly.

One word of caution; you should restrict access to who can run this script (maybe with HTTP-Auth over HTTPS) because the script isn’t perfect and you don’t want to let anyone make changes to your site.  There are also certain security risks that are increased when you have your website files owned by the webserver user.  It is recommended that you only use this script in a protected environment.

/gitpull.php – show current status and last 3 log entries (make no changes)