cancel
Showing results for 
Search instead for 
Did you mean: 

Is this a scam? Zoom Desktop Client For Linux

symbalex
Listener

I recently received an email from *********** which said

 

As an admin or owner of an account with users using the Zoom Desktop Client for Linux, we are reaching out to notify you that we will be retiring the current key pair used to sign the Linux client on November 2, 2022. To avoid service interruption, we advise that you ask your users to download and trust the new public key. 

 

Please follow the instructions below to download the new GPG validation key by 11/2/22 to avoid service interruption.

 

[...] and then some instructions [...]

 

Is this a scam or is it legit? I haven't managed to find other info about this on the zoom website.

12 REPLIES 12

Fermentlife
Listener

Me too!
I would not want to do this procedure without confirming that it is not an attack attempt.
Please give us your confirmation.
Thank you.

sundarvenkata
Listener

I got the same email as well. Please confirm if this is safe.

Jeff924
Listener

I got the same message.  It is suspect because, well, I don't want to say why it is suspect because I don't want the bad guys to learn how I came to suspect them.

 

I would expect zoom to send a message, in flat ASCII or flat UNICODE, that said "If you use the linux zoom client, then please login to your account as you normally do.  We have a message for you that we want to send you through a known secure channel".

Zoom: are you listening?

 

Bort
Community Champion | Zoom Employee
Community Champion | Zoom Employee

Hi all, 

Yes, this is an authentic email from Zoom. Please take the necessary steps to update your Linux client to avoid service disruption. 

Bort, ask your security people about sending keys - keys! - through HTTP and not HTTPS.  Also, ask them about using any URL other than from zoom.com or zoom.us or zoom. (country code).  Also, ask them about sending ANYTHING material through E-mail!  For all intents and purposes, E-mail should be considered dead with the exception of alerting the recipient that there is a message for them on a protected web server.  I'm sorry.  It was a wonderful idea 50 years ago, but now bad actors are so prolific that it's just useless.  Even if it was not bad actors, the signal-to-noise ratio is fast approaching zero.  Yesterday, I counted.  Of the 283 E-mails,  only 3 were actually useful to me.

John_Z
Listener

Thanks for the reply.

Can we get some instructions that are much clearer?  The email makes little sense to me.

 

Thanks.

Bort
Community Champion | Zoom Employee
Community Champion | Zoom Employee

Yes, we're working on it. We'll have a more detailed support article available soon. 

japril
Listener

I imported the key into a gpg keyring just to check it out and it's from 2015 .. do you guys realize that?  Seems like an old key and not a new one.

PK
Attendee | Zoom Employee
Attendee | Zoom Employee

Hello @symbalex and everyone! I have an update for you:

Here's a support article regarding the email you received: https://support.zoom.us/hc/en-us/articles/9836712961165. In short, Zoom IS retiring the current key pair used to sign the Zoom desktop client for Linux. Based on some feedback, users were unable to download the new public key. Zoom is working to resolve this issue and will share details as we have them. No customer action is required at this time.

When we have additional instructions, we will update the support article.

 

If this helped, please mark this reply as a solution so others can see this message as well. Thank you!

You may want to think about letting people know about this in the same way the change was announced, i.e. by e-mail! I had to go hunting to find this info.

PK
Attendee | Zoom Employee
Attendee | Zoom Employee

I agreethe team is working on it!

Yes, we have the same issue. After import the pub file, it's still the old key pair end with ****C71D.

So any update for this? When should we download the new public key?