Securing your data is top-priority at Nextcloud. Self-hosting enables you to get back in control over your data. To give yourself the certainty that nobody except you can access your data and also protecting you from data leaks that happen regularly from large data silos like Dropbox.

However, with great power and privilege come responsibilities. One responsibility is keeping your server secure, making the life of prospective attackers hard.

In this post, I want to share some insights into what we have been doing to make Nextcloud the most secure way of keeping your data under control; and explain what exactly the dangers are that an up to date Nextcloud server protects you from. I also share some thoughts on best practices and further improvements we work on.

As always, I am looking forward to the feedback from our community members, customers, and users!

The dangers: security apocalypse?

That using public services to host your private data is dangerous is a clear fact. Even without companies trying to hide massive security breaches sometimes for years, being on the same server infrastructure as millions of others simply paints a target on your back. But, while hosting yourself is beneficial, it does not mean you are entirely invisible.

When talking about security updates, I often hear statements such as: “Why should I care to update my server? I am not a target after all. I will wait until I have time.”

Reality is different: you are a target. Moreover, so is everyone. As soon as you connect your server to the internet, you are automatically becoming a target. Hackers use automated malicious tools that crawl the Internet for vulnerable services and try to hack them 24/7! Looking through the logs of any internet connected system which isn’t heavily protected by a firewall you will see dozens of attacks every hour.

With the rise of ransomware (some statistics say nearly 50 percent of organizations have been hit with ransomware!) one should realize that nearly everybody is an attractive target. Even if you happen to have a backup of all your data, the fact that a third-party may have access to all your files, contacts, calendar data and more is not a comforting one. Whether it is on a public or a private server.

Security issues in a nutshell

Of course, not every security vulnerability will allow an attacker full access to your data. The last vulnerability with such a critical impact without authentication has been fixed in ownCloud in July 2016. For the record, the issue had been found by Lukas Reschke from the Nextcloud Security Team, that would be me. We still actively reported security issues back to ownCloud in the first few months after the fork.

Note that this means that any ownCloud or Nextcloud version not updated since July 2016 is vulnerable to this problem!

However, it is important to understand the risk associated with security issues. Nextcloud published security information 14 days after release on our Security Advisories page. This is considered a ‘security best practice’. One reason is that it allows a server owner to use the information we publish to determine if their server might have been breached.

The security advisories usually contain the following information:

  • A risk level
  • A description
  • The affected software
  • Security researcher acknowledgments

Moreover, here another advantage of open-source software strikes again: It gives you the ability to analyze the impact of the security risk on your environment, as well as giving you the opportunity to review and verify our security patches.

With this kind of information, you could determine the impact on your environment on your own.

To get more practical: When looking at the recent issues in Nextcloud, you will mostly see “XSS” issues. Meaning that an attacker may be able to execute malicious JavaScript in the context of your browser session. In less technical terms, whatever you can do in your Nextcloud browser session an attacker would also be able to do. To be able to exploit such kind of issues attackers typically will have to send you a malicious link that you have to open, for example through a phishing email.

Such issues are not as easy to exploit in an automated attack as a complete authentication bypass is. It is still important to update as quickly as possible unless you are willing to risk your data just by accidentally clicking one malicious link, or having another user on your server do so. I would say that updating with the new Nextcloud updater is far too easy to risk your data being stolen!

How Nextcloud protects you

Nextcloud has been designed from the ground up to protect your data on your own server. Our multi-layered approach addresses security on three levels. It starts with state-of-the-art security features and measures; second, we have integrated industry leading security hardening capabilities, putting up an additional barrier for attackers. All that happens within a way of working that puts security first, making it a top priority at every level of our development process and even after our software is released.

Features and capabilities

After installation, Nextcloud will automatically detect many potential security problems and faulty configuration itself. The administrator will be warned about this complemented with links to documentation on how to fix the problem. We are firmly recommending to regularly check the admin settings as especially major releases can add new checks and recommendations.

Nextcloud ships with many security features enabled by default such as our brute force protection. We usually encourage people to keep their Nextcloud configuration as default as possible, allowing us to provide you with sane security defaults. On top of that, enabling our integrated two-factor authentication makes it significantly harder to break into user accounts. When two-factor authentication is enabled, external applications that have access to Nextcloud, like a Calendar app on your phone, for example, can be denied access to the file system in Nextcloud 11; we recommend you to enable that.

Hardening

During the development of any complex piece of software, mistakes are inevitable. On top of that, technologies keeping you secure (like encryption or hashing mechanisms) are occasionally broken by security researchers. To protect systems even when attackers have found a way to weaken one or more defenses, Nextcloud includes hardening features providing a second layer of protection.

For example, we ship a very restrictive Content-Security-Policy v3.0 mitigating XSS issues. This new technology protects users from attackers who try to attack Nextcloud by only allowing the execution of trusted JavaScript code. Another new technology, not yet supported by all browsers, is Same-Site Cookies which makes CSRF a non-issue. More visible is that we require password confirmation before performing some sensitive actions in the web interface. And this is just the start of a very long list of security relevant features that we are working on or already have implemented. You can find a long overview of improvements debuted in Nextcloud 11 here.

Are those mitigation measures perfect? Certainly not. They help in some attack scenarios, but attackers will find other ways to breach systems. However, they do most certainly make the life of an attacker significantly harder, forcing them to bypass another level of security. This is why we keep adding new measures and closely track new security technologies in web browsers, web servers and operating systems through which users access Nextcloud.

To add to our built in hardening capabilities I recommend taking a look at our server hardening guidance. While only covering a subset of the potential hardenings regarding server maintenance it is a good start.

Organization

In addition to these technical measures, we are also fighting security issues on an organizational level. We treat security as a process, integrating it in every step of our development. That starts with training developers in writing secure code, evaluating the security impact of new features and capabilities, running a variety of security scans against our code and having a responsive, effective security reporting process.

As part of that, we run a security bug bounty program with rewards up to $5,000. This is one of the highest payouts in the open-source world, putting our money where our mouth is.

We recently had our processes evaluated against industry standards such as Clause 14 of ISO/IEC27001-2013. To quote from the report:

Nextcloud understands the necessity to provide core principle baseline security requirements, as such Nextcloud 11 is built on these security principles to ultimately deliver a secure solution to their customers

You can learn more about our security processes and reviews at our security page.

The future: automatic updates

We realize that updating has been a major issue in the past. Many people are reluctant to update their servers because of a sub-par update experience. Problems in the upgrading utility caused major headaches. Some people even had to recover data manually after a broken update.

One of our first changes at Nextcloud after the fork has been to write a new, more stable and reliable update utility from scratch. The updater is now a stand-alone program that performs quite a lot of integrity checks before upgrading your instance.

The amount of positive feedback that we are getting about the new updater application is tremendous. Moreover, we have not finished improving the updating experience, Nextcloud 12 with PHP 7.0 will, for example, stop disabling apps after minor version updates, removing another often criticized hassle.

This is already a huge step forward, and the Nextcloud updating experience is one of the most seamless and easy for highly sophisticated software such as ours. But of course, we appreciate any bug reports, feature request and code improvements!

Our end goal is ambitious: fully automatic applying of security and bugfix updates. That will still require significant development and testing efforts. However, it will make Nextcloud instances even more secure than they are today.

Let us help you keep your data secure

Our customers get proactive help with upgrading and keeping their systems secure. We also warn them in advance when security problems are found. Furthermore, we offer up to 10 years security support for our software for Enterprise customers. Learn more about our commercial offerings at https://nextcloud.com/enterprise/.

At a minimum we recommend subscribing to our low-traffic release mailing list, keeping you informed about all available software updates.

We believe that running a Nextcloud instance is the most secure and easy way to keep your data safe. When following security best practices such as updating instances swiftly, your data is in the best hands.