Nextcloud E2EE broken

ianopolous · April 11, 2024, 4:16pm

Some very basic mistakes here: https://eprint.iacr.org/2024/546.pdf

dngray · April 11, 2024, 4:34pm

I’m not actually surprised

github.com/privacyguides/privacyguides.org

Recommend against Nextcloud E2EE

privacyguides:main ← privacyguides:pr-remove_nextcloud_e2ee

opened 11:02AM - 30 Nov 22 UTC

dngray

+22 -22

This is something we should have recommended against some time ago: - https:/…/discuss.privacyguides.net/t/remove-nextcloud-e2e-recommendation/10352/7 - https://github.com/privacyguides/privacyguides.org/discussions/1484 It doesn't look like it's made a whole lot of progress either: - https://github.com/privacytools/privacytools.io/issues/2054#issuecomment-695860956 - https://github.com/privacytools/privacytools.io/issues/197

lepras · April 11, 2024, 6:06pm

Abstract?

ianopolous · April 11, 2024, 8:08pm

Abstract—Nextcloud is a leading cloud storage platform with
more than 20 million users. Nextcloud offers an end-to-end
encryption (E2EE) feature that is claimed to be able “to keep
extremely sensitive data fully secure even in case of a full
server breach”. They also claim that the Nextcloud server
“has Zero Knowledge, that is, never has access to any of
the data or keys in unencrypted form”. This is achieved by
having encryption and decryption operations that are done
using file keys that are only available to Nextcloud clients,
with those file keys being protected by a key hierarchy that
ultimately relies on long passphrases known exclusively to
the users.
We provide the first detailed documentation and security
analysis of Nextcloud’s E2EE feature. Nextcloud’s strong
security claims motivate conducting the analysis in the setting
where the server itself is considered malicious. We present
three distinct attacks against the E2EE security guarantees in
this setting. Each one enables the confidentiality and integrity
of all user files to be compromised. All three attacks are fully
practical and we have built proof-of-concept implementations
for each. The vulnerabilities make it trivial for a malicious
Nextcloud server to access and manipulate users’ data.
We have responsibly disclosed the three vulnerabilities
to Nextcloud. The second and third vulnerabilities have been
remediated. The first was addressed by temporarily disabling
file sharing from the E2EE feature until a redesign of the
feature can be made. We reflect on broader lessons that can
be learned for designers of E2EE systems

ph00lt0 · April 11, 2024, 9:09pm

This isn’t anything we didn’t know already. And this has been discussed on the forum before. I have many times raised my concerns about this also to nextcloud themselves. They are ignorant about it.

lepras · April 11, 2024, 11:30pm

Can you give pointers? The above abstract is unreadable.

clockwork · April 12, 2024, 1:15am

They probably can’t justify the business cost of a complete re-implementation of E2EE. They’re still a rapidly growing company and will continue to grow as long as they remain the dominant webdav/caldav/carddav server.

sha123 · April 12, 2024, 11:43am

Would be interested to see how Seafile compares in terms of E2EE security.

ph00lt0 · April 12, 2024, 3:03pm

That’s the worst argument I have heard in ages about accepting a massive security flaw. If they can’t even keep their core product secure I think they better just stop at all. E2EE is used a lot in the PR of Nextcloud and every time I see it it has been very frustrating given the state of things.

Should be noted that according to the paper some things were resolved. Not that I would trust it to be safe now.

Topic		Replies	Views
Add Internxt as a Drive alternative and as a Send tool Tool Suggestions	31	2449	March 27, 2024
Remove Crypt.ee from "Cloud Storage" Tool Suggestions completed	35	3377	February 14, 2023
Capacities (Notion alternative) Tool Suggestions rejected	2	813	October 14, 2023
Tresorit Cloud Storage Tool Suggestions completed	16	2857	March 23, 2023
Seald.io (E2EE Library) Tool Suggestions	2	519	February 8, 2023

Nextcloud E2EE broken

Related Topics