Is there any technical merit to this ban? Why would forcing use of web version mitigate any concerns? (The concerns I have heard are lack of proper end-to-end encryption, servers in China and the possibility to join chatrooms by guessing a name (zoom-bombing)).
Seems perfectly sensible to ban all software that is not pre-approved by IT, InfoSec and Legal.
You can't safely assume all your employees are properly assessing the risks unless that is their actual job. If you only allow what you know then you can reason about your risk.
I'll be absolutely stunned if people are really having to raise JIRA tickets instead of typing "brew install" but my information is secondhand so what do I know.
Our laptops are configuration managed, force upgraded, and surveilled, but we all have root and IT has never stood in the way of "power user" behavior. The extent of the frustration in engineering is that their management processes sometimes eat CPU. My understanding is that most of the Valley is like this.
https://github.com/google/santa is used to whitelist binaries on Macs, but you can fill out a form to instantly opt out. One of the options for why is "I use a package manager".
Installing third-party software on corp devices is generally a no-go at a lot of workplaces. With the security problems that Zoom has been having, it's only prudent of IT to ban its use on work devices.
> Why would forcing use of web version mitigate any concerns?
Because the web version runs in a browser sandbox, so there's a reduced risk of it compromising the security of the corp device.
> The concerns I have heard are lack of proper end-to-end encryption, servers in China and the possibility to join chatrooms by guessing a name (zoom-bombing)).
Googlers don't use Zoom for work, they use it for personal stuff, so that's not the problem.
From the perspective of a generic IT department: Even if there aren't any security problems with having the client installed on your workstation - the problem is that when they've made so many amateurish security mistakes, it's difficult for IT to trust the binary blob that Zoom wants you to install on your computer.
Corporate device security is a series of safety-versus-efficiency tradeoffs, made with incomplete information. Banning Zoom does not really compromise efficiency, if you aren't using it for work stuff.
The Code execution vulns for both OSX and Win10 probably. In windows clicking a UNC path link would pass hashs. I believe for OSX there was an installer trick that allowed any code to run if triggered.
But those vulnerabilities were there, at least on OSX, because they were trying to avoid OSX's security warnings. And this is not the first time they've done something skanky like that.
Once may have been an honest mistake; 2+ times is now a pattern.
"For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS."
Apparently the web version doesn't use their homegrown encryption scheme.
Using Zoom or any other videoconferencing app that might retain data for an internal meeting is presumably banned regardless, and unnecessary given that Google Meet exists. But some employees might need to use it to videoconference with customers and partners, and some employees might be using it for personal calls on their work laptop. Banning the native app of a company that is clearly 100% shady 100% of the time seems wise.
