
NextCloud, a security analysis - AdmiralAsshat
https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/
======
tptacek
I really don't understand what this article is trying to say. About 2/3 of it
seems to be an explanation of an SSL Labs scan. It's good to get an SSL Labs
checkup for your site, but that's like 0.5% of your overall security problem.

~~~
simplehuman
Off your head, what is your recommendation / checklist for people running
servers? He covers fail2ban as well

~~~
sillysaurus3
An audit is only around $6k. If you can afford one, you should get one.

~~~
dguido
$6k covers about 3 days of effort by a single security auditor, which barely
scratches the surface for a large application like NextCloud. Sorry, security
is expensive :-/.

You can save yourself some headache by using best practices and clearing away
all the low hanging fruit before contracting with an expert. For example, but
deploying on HHVM, aggressively using static analysis tools and clearing up
issues that lead to compiler warnings, and running external application
vulnerability scans from things like local Burp Pro or the hosted Tinfoil
Security.

~~~
sillysaurus3
The question was about people running their own webapps. $6k is a reasonable
price for a smaller project.

~~~
tptacek
There aren't many non-brochure-ware applications I can imagine getting audited
in 3 days. 2 person/weeks is a small app pentest project.

------
dguido
None of this concerns me for an application like NextCloud. Deploying TLS
properly is table stakes. What does concern me: this app is written in PHP,
famous for such a horrific design that it frequently leads developers down
dangerous code paths that result in remotely exploitable bugs.

Seriously WTF are the PHP devs smoking? Just look at these tables:
[https://secure.php.net/manual/en/types.comparisons.php](https://secure.php.net/manual/en/types.comparisons.php)

Given the size of the codebase and the insecure language and frameworks it's
built on, I would consider a NextCloud instance that touches the internet to
be at enormous risk of compromise.

If you want to investigate my gut there are a million and one things having to
do with its architecture and implementation that you want to look into. None
of those things involve what TLS cipher suites it uses.

~~~
LukasReschke
Just as a remark, we run a bug bounty program at
[https://hackerone.com/nextcloud](https://hackerone.com/nextcloud) offering up
to $5,000 for Remote Code Executions.

If someone here feels challenged: We look forward to your reports. :)

~~~
newsat13
This is a great response :-) Especially to people who "claim" PHP is hackable
with no follow through.

------
chrisper
I used to use all these Sync programs, but each of them had their own issues
(or missing features). So I eventually switched to regular rsync + ssh.

The upside is that you don't have to install much serverside.

~~~
bitJericho
The nice thing with nextcloud is it allows you to share to the public, just
like dropbox but self hosted.

~~~
tedunangst
That just means you rsync to the public www directory instead. :)

~~~
tw04
So your rsync+ssh solution to one-click share-a-link that is one-time use or
with an expiration date is what?

~~~
tedunangst
The knowledge that one time links are a terrible means of access control.

~~~
tw04
Ahh, the old "I don't have a response so I'll just say the feature you use
everyday is 'terrible'". The market would suggest you are completely wrong.

