Google Authenticator 的備份功能不是 E2EE (end-to-end encryption)

前幾天提到了 Google Authenticator 總算是支援備份功能了:「Google Authenticator 支援備份到 Google Account 的功能」,當初操作的時候沒看到自訂密碼之類的功能,就有在猜應該不是 E2EE,直接攔傳輸內容也被證實沒有 E2EE 了,TOTP 的 secret token 都是直接傳輸的:「PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted」。

Google 的發言人回應 CNET 的詢問時只說會有計畫做,但沒有給更細的資料:

To ensure that we're offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.


Zoom 不提供 End-to-end Encryption 給免費版用戶

Zoom 解釋免費版將不會有 End-to-end encryption 的時候,大家都傻翻了:「Zoom's Commitment to User Security Depends on Whether you Pay It or Not」,這邊 Bruce Schneier 引用了 Bloomberg 對 Zoom 的 CEO 袁征的訪談:「Zoom Transforms Hype Into Huge Jump in Sales, Customers」。

Corporate clients will get access to Zoom’s end-to-end encryption service now being developed, but Yuan said free users won’t enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on the call.