Nextcloud E2EE broken

Some very basic mistakes here:


I’m not actually surprised



Abstract—Nextcloud is a leading cloud storage platform with
more than 20 million users. Nextcloud offers an end-to-end
encryption (E2EE) feature that is claimed to be able “to keep
extremely sensitive data fully secure even in case of a full
server breach”. They also claim that the Nextcloud server
“has Zero Knowledge, that is, never has access to any of
the data or keys in unencrypted form”. This is achieved by
having encryption and decryption operations that are done
using file keys that are only available to Nextcloud clients,
with those file keys being protected by a key hierarchy that
ultimately relies on long passphrases known exclusively to
the users.
We provide the first detailed documentation and security
analysis of Nextcloud’s E2EE feature. Nextcloud’s strong
security claims motivate conducting the analysis in the setting
where the server itself is considered malicious. We present
three distinct attacks against the E2EE security guarantees in
this setting. Each one enables the confidentiality and integrity
of all user files to be compromised. All three attacks are fully
practical and we have built proof-of-concept implementations
for each. The vulnerabilities make it trivial for a malicious
Nextcloud server to access and manipulate users’ data.
We have responsibly disclosed the three vulnerabilities
to Nextcloud. The second and third vulnerabilities have been
remediated. The first was addressed by temporarily disabling
file sharing from the E2EE feature until a redesign of the
feature can be made. We reflect on broader lessons that can
be learned for designers of E2EE systems

This isn’t anything we didn’t know already. And this has been discussed on the forum before. I have many times raised my concerns about this also to nextcloud themselves. They are ignorant about it.


Can you give pointers? The above abstract is unreadable.

They probably can’t justify the business cost of a complete re-implementation of E2EE. They’re still a rapidly growing company and will continue to grow as long as they remain the dominant webdav/caldav/carddav server.


Would be interested to see how Seafile compares in terms of E2EE security.

That’s the worst argument I have heard in ages about accepting a massive security flaw. If they can’t even keep their core product secure I think they better just stop at all. E2EE is used a lot in the PR of Nextcloud and every time I see it it has been very frustrating given the state of things.

Should be noted that according to the paper some things were resolved. Not that I would trust it to be safe now.