Today, Nextcloud 15 has been made available. As there is so much new and improved in this release, we have dedicated separate blogs to each main area of improvement. This blog covers our work in the area of security hardening and new security capabilities.
Security continues to be a key concern for Nextcloud users. To improve the protection of Nextcloud servers, this release enables administrators to control and enforce two-factor authentication globally or on a group-by-group base. New are also one-time codes for system administrators, to be used when the 2nd factor is unavailable.
All users will be warned to generate their one-time codes as soon as possible and store them somewhere safe. Administrators have command-line control over 2FA, in case they or users are locked out of their account.
To lower the effort of using the second factor for secure authentication, notifications from devices already authenticated can be used as second factor. This way, a mobile device can approve authentication in a browser, or the desktop client can approve authentication on a phone. The user simply gets a notification and can approve it.
Receiving a notification on iPad
Receiving a notification on Android
Simply tap approve to log in
Further hardening of Nextcloud
To harden Nextcloud further, this release brings more strict CSP (Content Security Policy) rules providing even deeper protection from Cross-Site Scripting vulnerabilities. The third generation of our App tokens improves handling on external password change. This reduces the number of times users have to re-authorize their client applications as the clients can get re-authorized automatically, provided one of the users’ logins is valid.
Manage app tokens in Nextcloud
Details on CSP and App Token V3
Our CSP no longer by default allows unsafe-eval. This blocks the javascript eval function. Developers can effectively no longer
interpret text as instructions. you could do
eval('alert(1)')
And it would just work. Now it no longer does. This means app developers will have to update their app and keep this limitation in mind. But code injection attacks by a hacker become significantly harder with our stricter CSP.
Over the last 2 years, our App Token technology evolved from app tokens which were invalidated whenever the user changed their password (V1) to public key app tokens that would be updated on password change (V2). V3 is adapted to work with LDAP or other external authentication mechanisms. While we still can’t update app tokens when you change your LDAP password, upon the first login in the web or any client, all app tokens are updated.
Ti presentiamo Nextcloud Talk “Munich”, la piattaforma di comunicazione open source e digitalmente sovrana per i team ibridi, che rappresenta una solida alternativa ai cloud delle Big Tech. Ora ancora più resiliente, potente e facile da utilizzare fin da subito. Per saperne di più.
Dai il benvenuto Nextcloud Hub 10. La nostra ultima versione è caratterizzata da prestazioni migliorate in ogni app, una maggiore integrazione in tutta la piattaforma e decine di nuove funzionalità che ti faciliteranno la giornata.
Le organizzazioni, grandi e piccole, necessitano di una soluzione che garantisca la resilienza e la sovranità digitale delle loro operazioni: un'alternativa open source e rispettosa della privacy a Teams. E oggi presentiamo questa soluzione: Nextcloud Talk.
Nextcloud announces new partnership with Thinkfree Office, a self-hosted office suite developed in South Korea, which is known for its ease of use. This collaboration is all about giving you more options, greater control, and a better user experience.
Salviamo alcuni cookie per contare i visitatori e rendere il sito più facile da usare. Questi dati non lasciano il nostro server e non servono a tracciare il tuo profilo personale! Per maggiori informazioni, consulta la nostra Informativa sulla privacy. Personalizza
I cookie statistici raccolgono informazioni in forma anonima e ci aiutano a capire come i visitatori utilizzano il nostro sito web. Utilizziamo Matomo in cloud.
Servizio:Matomo
Descrizione del cookie:
_pk_ses*: Conta la prima visita dell'utente
_pk_id*: Aiuta a non contare due volte le visite.
mtm_cookie_consent: Ricorda il consenso alla memorizzazione e all'utilizzo dei cookie dato dall'utente.
Scadenza del cookie:_pk_ses*: 30 minuti
_pk_id*: 28 giorni
mtm_cookie_consent: 30 giorni