I just shut down my Nextcloud instance yesterday. Not that there was anything wrong with it, but all i really need is a file synchronization "platform", and there are others that don't open quite as large an attack surface as a complete nextcloud instance does.
Not saying Nextcloud is insecure, and i've never had any problems with it.
Currently trying to decide if Seafile is the way for me, though i dislike it's on disk fileformat (IIRC it's some adaptation of Git).
We've been using Seafile for two years at my workplace. So far it's been very reliable and much faster than Nextcloud for file transfers. The current drive clients work well, but aren't as polished as Google File Drive Stream, for example. On macOS, I hope they will transition from macfuse.fs to the new FileProvider framework soon.
Seafile's file storage format has the advantage that it's easy to revert a file or folder to some earlier revision, for example after accidentally deleting files.
Store things encrypted. (For example I sync my KeePass DB via Seafile.)
Plus as far as I know neither ownCloud nor nextCloud went through a security audit and they are big piles of PHP with a lot more complexity than Seafile. So it's very likely that there are more bugs in phpCloud than in XiFile.
If you want some real security buy a DropBox/GoogleDrive/MSOneDrive subscription, hm?
> Plus as far as I know neither ownCloud nor nextCloud went through a security audit
This is inaccurate. Nextcloud does receive security audits and is in fact also used by quite some security-conscious organizations (to name a few: German Government, Siemens, ...)
There's also a bug bounty program that pays pretty decently considering the company size: https://hackerone.com/nextcloud. (Remote Code Execution = 10k, Auth Bypass = 4k - compare that to rewards that the FAANG pays and you'll see it's not that bad)
> and they are big piles of PHP with a lot more complexity than Seafile
I did a small audit of Seafile years ago and I don't think that argument flies.
```
def random_string():
"""
Generate a random string (currently a random number as a string)
"""
return str(random.randint(0,100000))
```
That's not really secure and copy-pasting Django core code and then removing security checks ... is shady at best.
Disclaimer: I wrote a significant part of the ownCloud code (https://github.com/owncloud/core/graphs/contributors), then forked it into Nextcloud. After some years I moved to Facebook to do application security there :-)
Oh wow, thanks for the quick reply. I searched for nextcloud audit but haven't found the reports, just docs about the "monitoring and audit" and the "security scan" feature. (I still can't, but maybe that's because these audits/reports are not public, I don't doubt your word.)
In my experience I've not found software developed by engineers based in China to be developed with any particular care. It is very common to see trivial backdoors, massive amounts of data collection, and plaintext protocols. For situations where the developer is being security conscious, the language barrier often means that reports of concerns are either ignored or misinterpreted.
It is often the case that software developed outside of China, for devices produced in China is alright, but on the other hand many companies like Honeywell simply contract all of their software development there as well, and it painfully shows. I shouldn't be able to buy a product in 2020 that has a linux kernel from 2012 and multiple remote code execution vulnerabilities just from public CVEs, but the Honeywell Tuxido security system managed it with ease.
I have experience of the similar software quality issues, however none of this is unique to China, north America, Europe, India, China. My question was specifically related to the hardware most people run, which is often fabd China, given most people take it for granted that this is "safe".
The hardware is obviously suspect as well, but I can only speak for the number of actual backdoors I've been able to find in my own devices. Root shells on random sockets, "accidental" eval() in web UI elements, hardcoded passwords, actual processes just called `backdoor`. I especially liked being able to remove the IPMI password from a SuperMicro board I bought from eBay by making a HTTP request to a "buggy" endpoint that printed the root password back in plaintext.
It's always about trade-offs. For our use-case, I trust it well enough to prefer it over something cloud-hosted in another country. But I don't doubt that Seafile contains security holes and I wouldn't be surprised if there were backdoors. But I assume that for quite a lot of the gear I manage, so... :)
I have, but syncthing doesn't have iOS clients, or at least it didn't last time i checked.
There was a client on the appstore called "f-sync", but that is gone now.
Also, Resilio (with paid license) supports features that Syncthing didn't support like selective sync, and encrypted folders, which allows you to share a folder with someone for redundancy and have things stored encrypted on disk.
There a newly released third-party iOS client https://www.mobiussync.com. Unfortunately it closed source, which is what has stopped me from purchasing it (the free version is limited to 20mb sync).
I'm not too worried about the client being closed source, especially not when the server is open sourced.
For Syncthing there is of course the potential problem of the client leaking the secrets to the author, giving them unauthenticated access to the server.
Thanks for the pointer, i'll check it out, though i've had a "lifetime" license for Resilio for years, and it scratches my itch, so there's no pressure to switch.
I have used syncthing in the past for server to server synchronization, a task it performs extremely well, but previous attempts at creating a "road warrior" setup from iOS (with f:sync) all ended in clients taking minutes to connect to the backend, where Resilio would do it in seconds. I'll give it another try.
> I'm not too worried about the client being closed source, especially not when the server is open sourced.
> For Syncthing there is of course the potential problem of the client leaking the secrets to the author, giving them unauthenticated access to the server.
Yes, that is the risk. It is significant because the credentials entered into the closed source Mobiussync app (that wraps the open source Syncthing node) would allow the author (if malicious, which I have no reason to believe they are) to access all of your files (even if your other nodes are behind firewalls, by design).
Now, I’d like to believe Mobiussync is doing the right thing. It aligns with their economic interests to not steal credentials, since nothing would kill their app sales faster if found out. I imagine it also would be easy to detect if the app was exfiltrating credentials by monitoring app communications. I’ve also read the announcement post: https://forum.syncthing.net/t/isyncthing-ios-client-for-sync... and appreciated the way the author engaged with the Syncthing community here: https://forum.syncthing.net/t/mobius-sync-ios-client-now-in-... . Based on my assessment of their conduct and the factors above, I feel almost certain Mobiussync does the right thing by its users.
But economic incentives change, authors change, bugs in code happen, and a good feeling is not the same as verifiability. The risk may be small but at stake is all your data.
I’d certainly pay more than the (very reasonable) price the authors ask for, for the additional peace of mind given by open source.
I just purchased it as well. It's less than a cup of coffee, and most importantly not subscription based.
I may or may not use it (gonna evaluate Syncthing to replace Resilio), but at least i can support the developer for making a thing that was VERY much needed.
No more than i worry about my operating system or office suite being closed source.
But then again, i don't put my sensitive information like passwords, ssh/pgp keys, tax returns and stuff like that in Resilio. I very rarely need those documents "on the go". Instead i have working documents, books, notes and more that i need access to, and while i'd rather not share them with the rest of the world, it would probably not make much difference if it was.
Furthermore, i can completely "wall off" Resilio Sync. It runs in a container on my public server, and files i need access to are mounted as NFSv4 shares "outside" the container. Access to the shares is managed through Kerberos.
So even if you make it inside the container, you can (probably) wreak havoc with the files on the NFS shares, but those are backed up, and unless you can find a way out of the container, or a bug in NFS, that's pretty much it.
The container has only the absolute minimum of binaries to allow Resilio to work, so you toolkit is kinda limited, at least when compared to Nextcloud which requies a lot of binaries/libraries to work, along with a PHP interpreter.
Yeah, NextCloud is overkill for that. I see it as the back-end of the phones of my family though, calendar/contacts sync, auto picture uploading (which you can view on a map even), sharing files within the family, of-site backups for everyone. I'm just waiting for NextCloud Talk to support federation so I can talk between servers (I say family but it means different families, in my language there is a word for just parents and kids and when you also include more ("gezin" vs "familie"), not sure what to use, but we have multiple domains and servers (all in my basement though ;))
Interesting – for basically the same reason we made the inverse switch from Resilio to Nextcloud with a small startup team with <10 devs.
Nextcloud provides us custom shares, user groups, public shares, URLs, better local clients, compared to the Resilio performance. Resilio was especially bad on Linux (but worked remarkably well on my android with a large SD card). With Nextcloud I can even choose to use WebDAV only if I don't want to mess with clients.
I guess it depends on your workload. My Nextcloud was only for myself and my family, and we only used it for "files on the go".
Calendar/contacts is handled by iCloud (Apple household, it's a Danish thing...)
Notes are handled by whatever each person finds the easiest. My wife defaults to the iOS notes app, i switch between various clear text editors.
File synchronization on desktops/laptops is handled by Synology Drive, which syncs beautifully whenever the machine is connected to our LAN, either directly or through VPN.
The only problem i needed to solve was ad-hoc access to files on mobile devices, preferably without opening ports, and since VPN doesn't always work from other private networks (ip scope clash usually), i chose not to use Synology tools for this. Besides, Synology Drive doesn't support selective sync, and while documents probably wouldn't be a problem, synchronizing gigabytes of books to my phone isn't really an option :)
Resilio on Linux does have a nasty habit of doing disk IO all the time, a habit that syncthing doesn't have. When i look at running processes, Resilio on linux is constantly using 2-5% CPU.
Thing I don't like is that it expects to be hooked to the internet, and it nags you about apps you should install but you have to install them from their cloud/app store.
Now there is a way to install the app store on your server, but it would be nicer to get started without having to buy into all that. So I just run the default apps.
I briefly considered putting up separate VMs for front and backend containers, but ultimately decided against it. Instead I have a “web” docker network where my nginx reverse proxy runs, and a “services” docker network where I run the stuff I proxy.
Databases and other containers needed for the backend services run on another network as well, so if you make it inside nginx you will (of course) be able to access my already exposed backend services, but no direct access to databases and other services.
Before shutting down Nextcloud I used to have a resilio container running, and I would mount the data from that inside Nextcloud, so no direct contact between the two.
But then again, I just need access to files through a browser, and don’t need any of the advanced features of Nextcloud, so I’m still trying to find a better match. Looking at seafile if I ever find the time.
Not ideal, but you could give it internet access, install all the apps you want, and then isolate it again (remove it from the docker non-internal network or whatever).
As long as the apps you install don't need to make web requests on their own, they'll work fine.
Not saying Nextcloud is insecure, and i've never had any problems with it.
Currently trying to decide if Seafile is the way for me, though i dislike it's on disk fileformat (IIRC it's some adaptation of Git).
For now i use Resilio Sync.