Yes, if the keys are held in servers that they have access to then they would be able to decrypt the traffic and see what is happening.
The whole point of e2e encryption is that only the 2 parties have the keys, Zoom are abusing this term and making people believe they are doing e2e
If they can enter the meeting, either they have to get confirmation from the host who would send the keys to the person entering the meeting or they already have the keys and can enter the meeting and decrypt the stream.
They apparently 'define it differently' to every other company, organization, and infosec professional. This sort of thing used to be called lying, but it's essentially an 'alternative fact' now:
Zoom, however, denies that it’s misleading users. The company told The Intercept, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” and that “content is not decrypted as it transfers across the Zoom cloud.”
Whether the paper is any different is sort of irrelevant if they're starting off from a place of bad faith. One time after another this company has 'accidents' like this, while removing CCP distinguished nonpersons from the platform. A sense of skepticism is certainly justified.
If implemented correctly, the server doesn’t get the key. Look up Diffie–Hellman key exchange for more information on how this is possible. This can be verified by auditing the client so you don’t need to trust Zoom.
> The Diffie–Hellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack.[1]
Whoever controls key distribution can control the encryption channel; without a way to verify public keys, all bets are always off. You're right that auditing the client is one (if not the only?) way to do this.
This is true, but they are going to help law enforcement with calls that have bad content in them, the only way this can happen is if they have the ability to decrypt the streams or enter calls silently and get the keys.
Edit: Sorry for coming across a little brash, I'm quite a strong advocate of real encryption and this kind dilution of terms makes my blood boil because terms are being diluted and people have trust in something that betrays them.
