![]() ![]() Even if the password were not embedded in the link, the password is included in the invitation, so again the password is offering no security value.ĭoes the browser insert any risk to the details needed to join a meeting? As the link is https, the browser will start by asking the servers for encrypted communication once established, the full link will be requested and the meeting process will begin, with no password required as it’s embedded in the link. There is a risk that someone may forward the invitation, in its entirety, to an unauthorized person who could then join the meeting, and would be in possession of the link with the embedded password and the actual password. That said, the bad actors who have been Zoom-bombing may still be able to use brute-force tactics to find valid Meeting IDs, by setting scripts running to continually attempt to connect to meetings. This stops people attempting to connect to a password-protected meeting with only the Meeting ID, thus resulting in a reduction of Zoom-bombing. The other way to join a Zoom meeting is to enter the 9-digit Meeting ID if you attempt to join a meeting using this method and a password was configured, a password prompt is displayed. What was the point of requiring a password, then? No password is required to be input, however, because the password is embedded in the link hidden in the encoded string of characters used to connect to the meeting. The scheduler is expecting the invitee to need a password, as that was how the invite was configured. At the time the meeting is scheduled, a simple click on the link in the invitation is all that’s required to join the meeting. ![]() The invitation arrives in the invitee’s inbox or calendar. So, there is limited opportunity someone will intercept the email and glean the meeting details, including the password. The good news here is that 93% of inbound email, according to Google, is encrypted in transit. If sending to a recipient outside of the company, however, the email contents will flow across public networks. The next step is to send the invitation out if all recipients are within your own company domain, then this is probably secure, as the internal IT team is in control. At this point the obfuscation of the password seems pointless and offers no security value. Pointing out the obvious here: the password’s encoded and plain versions are both included in the same invitation that is typically sent, in its entirety, as a calendar invitation or email to the invitee. The random string is an encoded version of the password, which is listed in its plain form below the Meeting ID. Notice the URL in the invitation in Figure 2 to “Join Zoom Meeting” includes a “pwd=” parameter followed by numerous seemingly random characters. Zoom invitation email with a default, random password ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |