Show HN: Zoom Redirector

I once used Zoom's web interface and the video quality was horrible. When I switched to the downloaded app, it was much better. Not sure if this was a one-off problem or an underinvestment in their web interface.

I used to get pretty annoyed that Zoom made download the stupid client to join a video chat but now that I’m using it constantly I’m learning that there’s a pretty great reason, the native app is so superior in terms of user experience.

Would be great to add tampermonkey/greasemonkey support. Opened a ticket for it

I had no idea there was even a web version. Does it work in Linux? Zoom often leaves me with broken audio and I really dislike having to have more rarely used software trying to stick around in memory. I uninstall it after each use, purely out of spite. This is great.

I'm guessing this is related to the "Zoom monitors activity on your computer" story https://news.ycombinator.com/item?id=22657384

While anecdotal, I pretty much exclusively use the web version and haven’t noticed degraded video quality when on a good internet connection. (I work on a 2015 MacBook Pro.)

It's something I've wanted to write for a long time, and that tweet finally spurred me to do it. Hadn't seen the HN thread though!

The web client has never for me on Ubuntu.

So web-based Zoom cannot detect if Zoom window is not active?

It can still do that, but it can't get what programs you have running or the other data collected by the desktop client.

Beyond the privacy concerns it's a security risk. Their desktop client had a remote code execution vulnerability last year:

https://www.zdnet.com/article/researcher-says-zoom-web-serve...

The current implementation uses the WebExtension apis to perform an _internal_ redirect. When you navigate to a Zoom meeting, before the browser opens a connection or sends a single network packet, the extension rewrites the url to navigate to their web client.

On the other hand tampermonkey/greasemonkey are content scripts that get injected into loaded pages. An implementation here would look like: the user navigates to a Zoom meeting, they load the entire page, and then a script gets injected to perform a `window.location` redirect. This will be slower and depending on the timing of events you may even still get the Zoom file download prompt.

So I don't think tampermonkey/greasemonkey is a good fit here.

On Ubuntu + Firefox I can see other people, but I can’t hear anything, nor can they hear me (I don’t know if they can see me)

I was unaware of that. Just frustrated it added an annoying “zoom” icon to my touch bar without my permission. I feel like this is “IE4 Toolbar” level crap.

When I saw the title I thought it was something else. At a previous company we had a nice url: mooreds.example.com

which would redirect to a standing zoom url. Made for a nice way to easily start a video conversation.

Or is it just that the Zoom web experience is really poor? Google Meet and BlueJeans web UIs are great.

Couldn't get it to work on the latest FF Beta on Ubuntu 19.10 but the web client worked totally fine on Chromium.

Works great for me, Gentoo, 4.20 kernel, Xfce, Chrome and Firefox.

I believe they recommend Chrome, so you might want to give that a try

Never zoom for me ever again with their malware.

I refuse to use or install their product.

It's like we're back in the 90s again.

This inspired me to finally figure out how to be able to one-click Zoom links, with no external protocol prompt or leftover useless tab in Chrome.

https://github.com/tristandunn/one-click-zoom

Except now the webapp is real time video and voice chat

Isn’t BlueJeans just a wrapper around zoom?

Tampermonkey, I believe, can also intercept HTTP requests. Maybe that's sufficient/necessary for redirecting to another client.

That is great for you. For a lot of people it's becoming a requirement of their jobs, and quitting in a global pandemic over an app seems like a non-optimal response.

Chromium should work too, no?

Oh, cool. I really need this. Thanks.

Why is it malware?

The web version will be using WebRTC with whatever codecs your browser ships while the native version is able to use custom codecs.

You should update the readme to include this context!

You can hide it ...

Solving Zoom’s Dark Pattern no 1... great work!

RCE vulnerabilities, joins rooms without consent, tries very hard to persist beyond uninstalls. And their security attitude mirrors SCdF's: Your company forces you to use us, fuck you.

They only support Chrome, and you can only view one other person at the same time.

The problem isn't that it's visible. The problem is that it's there.

This is incorrect. Zoom doesn't use webrtc audio and video channels, only data channels, and has reimplemeted audio and video channels on top of that, doing the decoding in js and probably wasm.

They also limit the resolution to 480p for the web app, probably because of performances. Browsers and zoom both use h264, but browsers usually use vp8 instead.

There is no reason webrtc cannot offer the same quality (or better) than zoom, at the same bit rate, but it all comes down to the actual implementation of browsers and web apps. webrtc-based apps work well, these days.

this attitude is actually a major part of the problem - if engineers would consistently speak up instead about this not meeting security / privacy standards maybe we could have nice things. unfortunately people either really are this incompetent and don't know or lack the balls to do so. Either way we all lose out.

zoom seriously needs to die. no friggin way I'd ever engage in a responsible disclosure with this company - no matter who gets thrown under the bus.

let me expand (copy pasta from my comment on sibling post[0]):

this isn't the first time zoom got caught red-handed[1]. Last year they were called out for installing a local web server in order to disable security controls to get around the deprecated NPAPI[2] ... this is _literally_ what malware does. Seriously fuck zoom!

[0] https://news.ycombinator.com/item?id=22658173

[1] https://medium.com/bugbountywriteup/zoom-zero-day-4-million-...

[2] https://en.wikipedia.org/wiki/NPAPI

have you ever considered the security and privacy implications of using this product?

I doubt it. Reading the comments in your link shows that it was just unsubstantiated fearmongering.

I expect it is more to do with the fact that you don't need the Zoom app and why should you have to download it when pretty much everything works perfectly through the web client?

I don't want to diss an effort made with good intentions. though this is like using duct tape on fatally flawed design - it doesn't solve the problem. We're dealing with an inherently hostile company which aggressively uses dark pattern, ignoring privacy and security best practices. Not only are they ignoring these things they actively bypass the security control on the host-system where it is installed - this is literally what malware does. You don't put duct tape on malware so it works better for you!

If they would be a Chinese company they'd be banned and probably even sanctioned. Stop using this shit and stop justifying its use just because your employer makes you use it. Grow some balls (or eggs) and speak up naming it for what this is (malware) - so that we can all have nice things and not be forced to engage in endlessly justifying ourselves because "team or company XYZ is using it too and it works great for them ..."

No one is saying don't speak up.

You're commenting on a post that is about a link that helps people use a web version of Zoom, which by its definition doesn't have the malware issues that people talk about (unless they are breaking sandboxing in the browser which would be pretty major).

What I was replying to was the "no grey area allowed" black and white dying on a hill response to the existence of the tool at all. This is why non technical people roll their eyes at technical folks and ignore us, because so many of us live in this world where we aren't willing to negotiate or hold more than a single thought in our heads at once.

I don't want to use Zoom, I bring up alternatives at my org all the time, and meetings that I control do not use it, and I do not install their binaries on my own devices, instead opting to use the web client when required. But the reality is that I don't get to make that call all the time, and if it's a choice between using Zoom on the web and not communicating at all, then the choice seems pretty clear to me.

I understand your sentiment and am even inclined to agree with it. but I have been there before just too many times. there is always a momentum for such a discussion as long as the product hasn't yet fully saturated the market. that said, even if that window of opportunity is utilized by critics (e.g. engineers and early adopters) there still is a high risk that this type of behavior (by Zoom) gets normalized. it's the same old pattern: we create small hacks and workarounds which nobody except a minority knows or cares about - eventually they'll release features which we're no longer able to workaround - by then employers consider it as a "critical software to do business" - by which any discussions about flaws have become impossible. (too big too fail)

if we don't speak up now and give them FIRE, then the covid19 crisis will have been the reason why another surveillance technology gets normalized. working under tracking a la "upwork.com" - where marketeers decide how to screen capture and key-log all input is somehow normal.

note: I'm not attacking your point and didn't think you agree to Zoom's way of doing things. I just feel really strongly about not giving them any benefit of the doubt because they have already got a history of abusing trust.

my comment in the sibling thread mentions why this literally can't be fixed with a browser add-on: https://news.ycombinator.com/item?id=22662212

again: not an attack on your comment, not attacking OP's work either. and we probably agree on more than we disagree here by what I can tell

I have absolutely no idea what you're on about. How is Zoom malware?

By "actively bypass the security" do you mean "it's a program that you need to install on your computer"?

Can you elaborate why Zoom is malware in ways that VS Code, VLC Media Player or Photoshop aren't?

EDIT: I mean the question honestly, as a question. I might have missed something. I mean, I saw yesterday's HN topic on a tweet that claims it sends info about all active programs to a server. But I saw nothing to substantiate that other than an "attention tracking" feature which is way less invasive than what's described in that tweet and off by default.

Did I miss the evidence, or some other damning privacy invading misfeature?

I just posted the related issues to my companies working-remote channel to raise awareness, because lots of us AND our clients suddenly began using Zoom. We are in Europe, so the laws are quite different.

So far, the response as been zero (it's been an hour) but let's see. Maybe I can make some coworkers and clients be more wary of Zoom.

The videoconferencing industry seems to believe it's necessary to bypass regular OS protections to make the UX "better".

For example: https://www.theverge.com/2019/7/8/20687014/zoom-security-fla... By design, instead of using a URL handler, they run a HTTP server on your machine to bypass the "open with" dialog. There are good reasons not to trust the binaries they ask you to run.

Here, it turns out they offer a web client after all, which is nice and sandboxed, but they default to trying to run a binary on your machine where you have less control over what it does.

Doesn't zoom also support h.323 and SIP[0]? There are open client available for this [1]. Don't know how good these actually work.

[0] https://support.zoom.us/hc/en-us/categories/200110033-H-323-... [1] https://www.gnugk.org/h323-endpoint.html

@rainforest's reply pretty much covers it. NPAPI was deprecated for security reasons so they thought it was a good idea to bypass that deprecation by installing a local webserver. My other comment on yesterdays thread: https://news.ycombinator.com/item?id=22658173

> Not only are they ignoring these things they actively bypass the security control on the host-system where it is installed

What we're seeing is the constant balance between easy-of-use VS privacy/security and people making the choice without really understanding the consequences.

In the end, privacy/security is so invisible and hard to understand for "normal" people that easy-of-use and performance always seems to win in our current system.

> Stop using this shit and stop justifying it's use just because your employer makes you use it.

This seems a bit simplistic. We're all humans and navigating what's almost a political situation regarding Zoom and it's issues can hurt you individually, while not gaining a lot globally.

I'm not saying you're wrong, ideally we should all stand up for what we believe in. But sometimes the contexts and environments prevent us from doing so, and not all of us are ready to die on the hill that is privacy/security.

I can't find any information around this except an open issue (https://github.com/Tampermonkey/tampermonkey/issues/397), you got any links?

As I understand issue linked above, they want to support it but currently does not, in official releases. What's supported is catching all requests in a page, but that's after the contentscript has been applied to the page, which means what arkadiyt wrote would still be accurate.

Thanks a lot! I had been bypassing manually the zoom client, but lately I felt like they were hiding more and more the browser option (up to the point that sometimes I had to run Chrome to have two chances for the non-client link to appear).

I highly recommend using solutions based on WebRTC, which is present in all modern browsers and is really good (see https://www.youtube.com/watch?v=WFil-ZPE0-g for a comparison with Zoom).

Whereby (formerly appear.in) https://whereby.com/ has a really nice and simple system. No more jumping through a dozen hoops, no more installing software with glaring security holes and borderline malware behavior (looking at you, Zoom).

> Update, 5:15PM ET July 9th: Zoom has published a blog post detailing its response to this vulnerability, including how it will patch its software and uninstall the webserver it has installed on Macs. More details here, and original story follows.

Seems like they don't, and haven't since July.

i hear you and I understand this sounds like privacy or security maximalism. but bear with me for a second ...

at some point in the last 100 or 200 years technology has become so complex that society has agreed to compartmentalize problem domains into subject matter expertise and we install specialists to work on these problems.

you're spot-on saying that the majority can't tell and probably doesn't care. but the majority also isn't as deep in this as most people here. if it's not our job as engineers or as an industry to raise raise alarms when it's justified what chances do we have - or what chances do those have who aren't skilled to ask or answer these questions?

Things have become so complex that our reaction is now to no longer question things and instead point to team-XYZ who claim that they are using it successfully (but have they really investigated what they're using or are they just so desperate to turn a blind eye to what's happening?)

I'm not willing to die on that hill but am prepared to fight this for long enough until people wake up to the problem. The point is to stall the nomalization of this behavior for long enough - until a sizable portion of specialists/subject matter experts is aware and can no longer be ignored. The #DeleteFacebook movement and people inside Google and Microsoft fighting ICE contracts are an example that pressure maybe doesn't solve the problem but it still is a very effective "spanner in the works" of Surveillance Capitalism.

How does WebRTC compare when you have a lot of callers (e.g. 20 people in a call)? From my understanding, it is p2p, so the network throughput required would be a lot higher, correct?

the used to do it, but there was a huge backlash. I think even apple pushed a patch to block their behaviour

thanks for speaking up. this takes a lot of guts and I hope you get your colleagues attention. forcing a tool like this on employees is a betrayal of trust and could also have devastating effects on their motivation.

What are the issues exactly? I've also been using it but so far haven't heard of privacy concerns that are unique to Zoom? Obviously, P2P should be preferred but it's really hard for this to work with larger groups, esp if some have connectivity issues. Zoom just shines here.

TBH, I have no idea, I have done calls with up to 8 people only. I would be interested to know myself. Whereby seems to support up to 12 video streams, with the rest being audio-only.

What is the actual current issue

we've been using jit.si in 2016 which worked well but it might be overloaded today idk. we hit some bottlenecks when trying to scale up and improved the situation by running our own jitsi instance on a DO droplet but that too would not scale to a large audience. I think that if you have more than 10 participants in the meeting then you have anyway other problems (the same issues when you have too many people in a f2f meeting).

from a technical pov I still wonder if running jitsi (or another similar solution) on dedicated hardware which is better tailored to a GPU intensive operation. This could then be easily deployed in-house (with all the benefits: full control and eliminating a lot of attack vectors). Seems like a cool problem to solve while in corona quarantine.

see yesterday's thread in general but especially this: https://news.ycombinator.com/item?id=22657605

extensively discussed yesterday: https://news.ycombinator.com/item?id=22657384

How is that the same as malware? I.e. "software intentionally designed to cause damage to a computer, server, client, or computer network", if the Wikipedia definition has authority. That's not at all what Zoom does.

You're assuming ill intent where there is none. At the worst, it's incompetence. And they fixed the local http server flaw.

I'd much rather we reserve the term "malware" for actual malware and not dilute it to mean "any program made by a programmer who's either not very good at security or doesn't have the exact same opinion about it as me".

Zoom's product team is based in China.

https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead...

This is an example. Why would you trust an organisation that engineers "solutions" to security measures but does so without due care and attention leading to a widespread critical security bug?

I don't know about linux but it works with Chromebooks. Since chromebooks are common in education and zoom is big in education, I'm sure they will keep that version going for a while. On a chromebook it asks you to download a chrome addon but it gives you a link to the web-only version too.

I can’t seem to figure it out: what is the URL pattern that leads to a web meeting rather than an app launch? I don’t want a widget. I just want to type it in myself.

I really want to try this out for the specific reason of testing to see cpu performance differences. The MacOS app is a massive CPU abuser with ~50-60% use in meeting or sharing on my iMac 4k, it makes demoing work much slower than reality and makes my work look slower than it even is IRL.

Looks like prefix the id in the ptah with /wc/ and postfix it with /join though if I look at a real Zoom invite with both links it's prefix with /wc/join e.g. https://example.zoom.us/j/<numbers> is https://example.zoom.us/wc/join/<numbers> for the web link.

you're misrepresenting what I said:

> they actively bypass the security control on the host-system where it is installed - this is literally what malware does

it is not equal to malware. It is what malware does, which is an important distinction. If you're OK with a product disabling the host-system security controls and still happy to trust the product with this taken in consideration then fair enough: use it, defend it, and evangelize it as much as you want. As somebody who has "security" in the job title it is a problem for me.

> And they fixed the local http server flaw.

it wasn't a flaw or silly design bug, it was a conscious design decision to gain market share which other players felt too risky. please read the NPAPI spec and why it was deprecated. A company doing this has no place in an enterprise network!

Spyware (which Zoom is) is also a type of malware.

That works! The "join" can go before or after the numeric ID. I just tried it both ways.

IIRC Skype back when it was p2p used the first participant as a host with full resync if it went down.

> > they actively bypass the security control on the host-system where it is installed - this is literally what malware does

> it is not equal to malware. It is what malware does, which is an important distinction.

That's not an important distinction at all. It's like saying "Ooh George talked to Mary when they were alone in the elevator. That's what rapists do", and then later defending it by saying "well, I did not say that George is a rapist".

I agree with the remainder of your comment, fair point. I think your initial comment would've been stronger if you had used the "no place in an enterprise network" argument instead of the malware comparison.

The official Zoom Scheduler extension automatically adds https:// links to Google Calendar. I suppose I could hijack the URL earlier, but you'd still need the external protocol prompt setting. And I guess depending on how it's handled it could potentially avoid the need to close the tab, although it might require permissions for every website instead. I think I'll stick with my simple solution for now.

I wish there was a solution for Cisco WebEx. To join in a browser and avoid their application. On macos it automatically adds itself to the launchagents (or whatever that autolaunch on login is), it is not the easiest thing to get rid of (regular users might be stuck with it forever.

> That's not an important distinction at all. It's like saying "Ooh George talked to Mary when they were alone in the elevator. That's what rapists do", and then later defending it by saying "well, I did not say that George is a rapist".

Installing an HTTP server on your client to bypass security control is not talking to Mary in an elevator. It's following Mary home, and making a copy of her house key.

The joke was (at least to the best of my knowledge) that nudging people to use chrome is further reinstating their monopoly, leading to a browser landscape comparable to IE days, which would not quite be the 90s, but close.

Will the drive to mass online meetings finally revive multicast?

Whereby charges you if you have more than 4 participants.

Do you have a recommended alternative?

My only argument is that you can't first imply that Zoom is malware and then claim that you didn't say Zoom is malware.

Seems fair!

Yes, zoom web view worked for me on Fedora with Chromium from the Fedora repo.

As stated elsewhere, it doesn't show the same thumbnail/gallery view of non-speaking participants that you can get with the native client. I was able to share an application window, so there is some decent functionality. I don't know if that might vary with graphics stack, i.e. Intel vs NVIDIA and Wayland vs Xorg...

Yes p2p, so to support higher numbers of people you'd need either a server somewhere doing compositing or selective forwarding (etc). I think a smart front-end client could do selective forwarding but would be tricky to get right (e.g. to consistently detect and forward the speaker).

EDIT: I meant to include, WebRTC itself does not prohibit such things, so the point was for small stuff it works w/ minimal setup, dumb client, and for bigger stuff it would still work, but would need more robust supporting code.

Made a WebView wrapper for Windows, that has an additional benefit of having a separate browser profile (e.g. no crosstracking): https://losttech.software/Downloads/FuZoom/

Well, yes — and? I expect every sustainable business to charge money, otherwise it will disappear when it runs out of VC funding or enthusiasm.

The default installs of Jitsi Meet use Jitsi videobridge to avoid p2p for calls of >2 participants.

For <=2 people, p2p WebRTC is used (though a STUN server might be needed to traverse NATs for each person [0]).

For >2 people, the Jitsi Videobridge is used instead of p2p [1]: it takes in all media streams from all clients (possibly even in different resolutions) and selectively forwards them to clients based on bandwidth [2]

[0]: https://en.wikipedia.org/wiki/STUN [1]: https://jitsi.org/jitsi-videobridge/ [2]: https://github.com/jitsi/jitsi-videobridge/blob/master/doc/s...

I guess I thought it was relevant in a thread about zoom which allows 100 participants for free.

Thanks for the information, I also realized that a while after writing the comment. No wonder the experience is worse than in their native client, data channels are still terribly unoptimized (sometimes even broken in some aspects).

Edit: https://bloggeek.me/when-will-zoom-use-webrtc/