Not a good idea to use 9 to 11 digit long IDs with no password requirement by default; they should have used at least 128-bit random ids, i.e. 21 character long base64-encoded strings.
This is likely to support dial-in over the telephone network.
I think "no password" is the bigger issue, because repeated attempts with incorrect passwords can be rate-limited. Zoom should be generating a random 6-digit password for each meeting by default.
There may be use cases for not having any password, but that should be explicitly opt-in and have a warning message to every participant that anyone can join and broadcast in this meeting.
i'm sure the reason for that is the UX.
the zoom had a reputation of "just works" and part of it was that is so easy to jump in to a meeting.
if now i have to manage access and so on, it would not be "it just works" like it was
The telephone dial-in option should've been separate - if the user chooses to enable it then they can fall back to shorter IDs, while meetings that don't need it (or where it doesn't make sense anyway - screen shares, presentations, etc) would use longer, more secure IDs.
As we've used it at work, the phone dial-in option is the backup plan -- useful when people can't set up their computer's microphone correctly, or lose Internet access for whatever reason.
The "just works" nature is why Zoom is popular. No one wants to have every meeting start with "Is Larry here? Oh, I think he's trying to dial in. I'm going to cancel this meeting and send out a new ID so he can dial in. Everyone watch for that so you can reconnect"
You could even include the option to get approval - pop up says "Mx. Caller ID is calling from 555.555.5555. Approve?" Obviously there's no way to get in through random dialing. And if you get a pile of requests, provide a way to filter incoming numbers and disable the calling ID as soon as everyone is in.
That's even assuming that anti-DOS protection on the phone line is impossible.
Even if the phone dial-in ID would be enabled by default (which isn't what I am suggesting), the extra latency and cost of brute forcing them over the phone network will make these attacks much harder.
I've always preferred conf systems with a call-me-at function better anyway. With most lines, sign in over phone is a horrible waiting game where one missed digit means sitting through instructions for another minute.
Could you not use a telephone intent, where the meeting ID is the suffix to the dial in number with commas for any necessary pauses? Skype for business meeting invites have this. Zoom might then support inviting mobile phone conference participants using SMS, containing the link (think weak 2FA).
The most secure computer is a non-networked standalone box sunk in concrete sunk hidden at the bottom of a deep sea trench. It is not, however, very usable.
Yes. If you're in a conference room and it's not a Zoom Room(tm), or has a Cisco system, or whatever, you have to use the conference phone. You might be able to tell the Zoom meeting host to call the conference phone and bring it into the meeting, but it'd be easier just to type the ID in (unless it was really 128 char, but then that'd give people a reason to buy new conference hardware I guess).
Also if you don't want to install the Zoom client, you can just dial in from your cell phone or desk phone.
When I did consulting, almost every meeting had at least one dial-in. If you didn't include a dial-in, you'd be guaranteed to either get a request to add one, or you'd get people who didn't show.
There was always:
1. someone who was on the road - a traveling consultant or someone in sales
2. a client or potential who called in because of the same, or because they don't sit at a computer all day and/or don't have a headset for their computer.
3. People in a conference room
4. a client who sucks at computers and dials in because they can't figure out how to install the latest version of CiscoGoToZoomMeetingWebEx.exe in IE8 on their macbook.
I've been working home since before the lockdown in my country. Since the lockdown, the number of online meetings that I have in a day has tripled. I think in about 2-3 meetings a day I have problems with microphone/hearing, and end up dialing in from my phone. This is normally for Skype for Business meetings.
The same tends to happen with a few colleagues ... Some anecdote.
Far greater than you would expect, I think. This is anecdotal, but we're an admittedly small company (~20-25 employees) and all of our interactions with other companies (clients) are either direct line-to-line or if we do a conference call, we all call in over the phone. Many of the companies who send us WebEx or join.me or Hangouts Meet or whatever invites only send the phone number even, not even bothering to give us a link (and if you go to the room manually in your browser, you're the only one actually connected via computer)
I call in for every meeting I can. My hearing is poor; the sound quality on the computer just isn't good enough for me. Then add in that my computer is heavily loaded, so it's ability to encode/decode sound is degraded.
I have a high quality desk phone on a land line (admittedly, VOIP from FIOS, but not via my computer) and I will fight tooth and nail to keep it.
All that being said, I'm comfortable typing in an arbitrary length password on my phone. All I ask is that it be formatted to make that easy (groups of 3-4 numbers with spaces).
Working in global research, 40% of our ROW (rest of world) sites and vendors use landline or cell pones to join our meetings, depends on their institutional security and IT settings.
My husband is a market researcher, and is now conducting market research over Zoom & other platforms. The first thing he does is have _everyone_ dial in. It's been a major help in reducing latency and dropped packets, which in turn has a majorly positive effect in getting stranger to be able to talk normally with each other. It helps prevent the "you go no you go" as latency allows people to unknowingly step over each other.
I would also enjoy being able to punch in '12345' as my password everywhere instead of launching LastPass all the time, but I accept that some conveniences aren't worth security consequences.
Good idea for this! But trickier for phone calling into a conversation. They could also just add 3 digits and a slight delay in their connection API, making it much harder to brute force, albeit only by a constant factor.
It's an incredibly simple thing to screw up. I wonder where else they use low entropy random strings. I wonder if their password reset functionality can be brute forced too. Another problem is where they put rate limiting as it seems probable based on this article there are holes.
In this case, relatively short numeric meeting ids allow users to dial in via plain old phone lines. If my meeting guests had to enter a UUID via their phone keypad, they would probably skip the meeting instead.
I mean, this is intentional. They even allow you to set your meeting ID to a well-known number, like your company's published phone number.
If you want to join the all-hands meetings of a company I used to work for, you only need to go their website and lookup their primary phone number. That's the Zoom meeting ID.
