What makes Nextcloud so secure?

Image Credit: Garrett LeSage https://flic.kr/p/iYxHLh

Image Credit: Garrett LeSage

By Swapnil Bhartiya

I have been a Nextcloud user since when it was ownCloud, before the fork. I recall that I was one of the first journalists who talked to Frank Karlitschek about ownCloud. I’ve always considered Nextcloud to be one of the most important open source projects because we are multi-device users and cloud plays a central role in the multi-device world to keep files and data synced across those devices. Nextcloud is actually the only fully open source and commercial cloud project that is so mature, stable and secure.

That last word, ‘secure’ is a key word in an era where mass surveillance and state sponsored hacking is increasing at an alarming rate. I looked at Nextcloud, and I talked to some of their customers and engineers to see how secure Nextcloud really is, and what I found in the process was quite reassuring. As the saying goes, ‘talk is cheap, show me the code’, Nextcloud also commissioned a report from the NCC Group to validate their claims of security.

Here is what I found: Nextcloud comes with industry standard technologies that are time tested and proven to be secure. It also follows best practices to ensure that the product offers the security that it promises.

Secure by design, secure by default

Protection from attackers

Brute force cracking is a very common, if not sophisticated, technique to crack users accounts. It is deployed by both criminals and government agencies to gain access to target accounts. Nextcloud comes with a built-in brute force protection that throttles too many failed login attempts originating from a range of IP addresses.

User account protection

Nextcloud caters to a wide range of users, employees of enterprise customers, individuals, staff and students of universities and schools, regional government agencies and many more. Nextcloud has many capabilities to protect accounts when they are used across devices. If a user wants to make any critical changes to their account in the admin area, Nextcloud requires the user password. So far I have seen such practices on Apple and Amazon products. One real life scenario could be that someone may try to modify a user account on an unattended or stolen machine where the user was logged in. Without the password, the change cannot be made.

Nextcloud also offers a password policy with a common password check for all passwords (sharing, user passwords, etc.) in the system. In addition, system admins can configure access rules for users from certain LDAP groups, that allows them to restrict access to files based on device, IP space and time frame.

System admins also have the ability to access the logging and audit log of critical actions. All critical operations are logged in an audit log which can also support remote logging.

Security of file access across devices

Two-factor authentication is becoming standard practice for many services; it must be encouraged in enterprise set-up, as well as at the individual level. The good news is that Nextcloud provides support for two-factor authentication, along with native support for hardware tokens like Yubikey. It also provides an optional build in SMS two- factor authentication for login.

Security on browser

Not everyone uses an app or a mobile device to access or manage files and document. Many  people, including myself, use a web browser for the job. These connections can be insecure. Nextcloud is bringing support for Content Security Policy (CSP) v3.0. It’s a HTTP feature that allows the server to set specific restrictions on a resource when opened in a browser. CSP makes it much harder for attackers to exploit a Cross-Site Scripting vulnerability.

With CSP 3.0, Nextcloud now has an even stricter policy. Instead of restricting the JavaScript inclusion policy to ’self‘ they now use nonces. This is a security improvement because the previous implementation using ’self‘ didn’t take browsers into consideration that do mime type sniffing.

Security of apps

In order to ensure that apps and desktop clients of Nextcloud are secure and uncompromised, Nextcloud takes extra steps for code hygiene. All Nextcloud app and desktop client updates are digitally signed to make sure that no compromised code is installed. Nextcloud is not just a file sync service, it’s a platform where you can install applications to get services like calendar, contacts and much more. To ensure security across the Nextcloud platform, all additional downloadable apps are also signed.

Encryption is the key

Encryption is the first and most effective line of defense. Users must encrypt everything that leaves the local network. But encryption is not black and white. How the files are encrypted, who owns the keys, when and where it’s decrypted again outside the user’s own devices is also important. In the case of Nextcloud, the connection between the client and server is encrypted so that no one in the middle can snoop. In addition, customers can use Nextcloud as a file syncing service and store data on a fully encrypted NAS or other storage solution, which is under their complete control. Additionally, Nextcloud sessions are stored encrypted on disks so that even if the storage medium falls into the wrong hands, the data will not be accessible.

Security by ownership

There is no doubt that proprietary services continue to improve their technology and security, but all of them including OneDrive, Dropbox, Google Drive, iCloud…have one thing in common that compromises everything: ownership over files and data. A user is no longer the sole owner of their own files and data. These service providers become co-owners of your data and, depending on the vendor, can access your data (yes it’s encrypted, but they have the keys), they can share your data with government agencies and worst of all, block you from accessing your own data, locking you out. The biggest security compromise of all is being in total control of your data. Nextcloud, as far as I know, is the only enterprise and consumer grade open source product that can compete with the giants like Dropbox, Google and Microsoft, but maintain ownership of your data.

Security is an ongoing process

Nextcloud deploys some of the most stringent processes to ensure code quality. As Linus Torvalds famously said, no software can be free of bugs and some of those bugs can be security issues. The only way to combat bugs is to create a process for code development that ensures less bugs make it into the release and if they do, they are fixed immediately. Thanks to these practices there has been no known vulnerability in Nextcloud in the last few months. Here is what they do: first, Nextcloud only merges code that is reviewed by at least two additional developers.

Secondly,  Nextcloud also runs a Bug Bounties program through Hacker One that offers rewards of up to $5000 to find security bugs.;

Nextcloud provides full security architecture reviews and audits for customers to make sure everything is configured as securely as possible.
 The security team of Nextcloud also performs regular static code scans and audits of the full code base.

Secure by verification: NCC Group’s report

These best practices that are being deployed by Nextcloud are not just on paper, they are not blatant claims by the company. Third party experts have verified it. The NCC Group is one of the most reputed organizations when it comes to software escrow and verification. In a report commissioned by Nextcloud, NCC concluded:

The Nextcloud 11 solution is built around combined assurance layers consisting of newly applied rich security features, applied best practices which are governed by policy and the design itself validated by industry standard testing processes. Following the security review of the new security features being deployed, it was considered that each feature including by aggregation by association will enhance the security standing of the Nextcloud 11 solution.

Talk is easy, show me the code

The biggest confidence in Nextcloud comes from a very simple and often overlooked fact: it’s open source. As a customer, you don’t have to take their words for it, the source code is out there for anyone to see and audit. It’s an open source project so no bugs or security holes can remain hidden. If there is a bug or hole, it will surface and when it surfaces, you don’t even have to wait for Nextcloud developers to patch it, which they do very quickly. You can take matters into your own hands and submit a patch. No other competitor — from OneDrive to Dropbox to Google Drive can beat that.

In a nutshell, when it comes to security, Nextcloud is unbeatable!