Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Store things encrypted. (For example I sync my KeePass DB via Seafile.)

Plus as far as I know neither ownCloud nor nextCloud went through a security audit and they are big piles of PHP with a lot more complexity than Seafile. So it's very likely that there are more bugs in phpCloud than in XiFile.

If you want some real security buy a DropBox/GoogleDrive/MSOneDrive subscription, hm?



> Plus as far as I know neither ownCloud nor nextCloud went through a security audit

This is inaccurate. Nextcloud does receive security audits and is in fact also used by quite some security-conscious organizations (to name a few: German Government, Siemens, ...)

There's also a bug bounty program that pays pretty decently considering the company size: https://hackerone.com/nextcloud. (Remote Code Execution = 10k, Auth Bypass = 4k - compare that to rewards that the FAANG pays and you'll see it's not that bad)

> and they are big piles of PHP with a lot more complexity than Seafile

I did a small audit of Seafile years ago and I don't think that argument flies.

For example, they copied https://github.com/django/django/blob/23c612199a8aaef52c3c7e... to https://github.com/haiwen/seahub/blob/b6f8935c0f355cc70145f9... and removed some security-critical checks. They removed the check for the password hasht here. (https://github.com/django/django/blob/23c612199a8aaef52c3c7e...)

Furthermore, the Django secret key was generated as shown at https://github.com/haiwen/seahub/blob/b6f8935c0f355cc70145f9....

``` def random_string(): """ Generate a random string (currently a random number as a string) """ return str(random.randint(0,100000)) ```

That's not really secure and copy-pasting Django core code and then removing security checks ... is shady at best.

Disclaimer: I wrote a significant part of the ownCloud code (https://github.com/owncloud/core/graphs/contributors), then forked it into Nextcloud. After some years I moved to Facebook to do application security there :-)


That the German government (specifically, ITZBund) chose to use Nextcloud is one of the most reassuring things I ever heard about it :D

Thanks for this comment, and your work on {own/Next}Cloud!


Oh wow, thanks for the quick reply. I searched for nextcloud audit but haven't found the reports, just docs about the "monitoring and audit" and the "security scan" feature. (I still can't, but maybe that's because these audits/reports are not public, I don't doubt your word.)

The bug bounty is very reassuring!


Thanks for these code deeplinks. That's scary condisering seahub. I'm a happy Nextcloud user, thanks for your work!


Thanks Lukas! It's fun to see people whose code I rely on daily. Best of luck with Gatekeeper!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: