Unfortunately, the article links to the b.m. Nextcloud Security Scan page with outdated NC 13 docs.
Luckily, since 2019-11-26 the a.m. scan page has a link to the latest docs.
NOTE: The URL input field of the Nextcloud Security Scan page seems to be correct and one can get an actual security report as should be appropriate. However, the line “hardening tips in our hardening guide” of same page is pointing to outdated content.
This is rather unfortunate and may hurt the security awareness of the NC user community.
Obviously, Nextcloud at least sometimes appears as if far too lazy in updating their online documentation and this can be quite misleading.
Only today I became aware of this unfortunate situation after lending a hand to someone calling for protection against brute-force attacks who was following outdated documentation apparently.
@Jospoortvliet I would hope that both the user community and Nextcloud GmbH seek to improve this situation as soon as possible and as sustainable as reasonable.
In principle maybe yes. In practice I cannot consent and see the responsibility at Nextcloud GmbH as a business and the acc. P&R and IT Sec personal involved. Nevertheless I took the effort to CC one of them specifically in the above already or did you miss this detail?
scan.nextcloud.com doesn’t seem to have a high priority. It can be very useful (e.g. like the certificate check at ssllabs) but only if it is working… we shouldn’t have feature that we are not able to maintain.
Documentation is a good point. There was even a talk about it on the last conference:
@tflidd — Thank you for your fair and reasonable answer.
However, learning the below from a presumed member of Nextcloud GmbH and ourcommunity leader of this forum:
And learning this from a.m. web page of Nextcloud GmbH currently::
Check the security of your private Nextcloud server
Privacy does not exist without security.
To help you keep your data yours, this scan analyzes the
security of your server and gives you an overview of what to improve.
I feel some obligation in my private capacity a a member of this home user forum and may stress my current concern again by a rephrase:
By scan.nextcloud.com one by official invitation of Nextcloud GmbH can get a security audit report. However, the line “hardening tips in our hardening guide” of same page is pointing home users and admins of private NC servers to outdated content which may hurt the security awareness of the NC user community.
NC 13 as linked by a.m. URL is clearly outdated and not supported any more, apparently
I am just a community member and this is just an impression I got from the official discussions and bug reports on public feedback.
Don’t expect too much. It’s just supposed to checks things that are visible from outside, e.g. if the version is up to date and if the data-folder is not readable. You could still run unpatched php versions, run an openly accessible database, weak passwords, …
If the feature is kept in future versions, an update for each version should be part of the release procedure, like it was on the list in the past:
As the most deployed self-hosted file sync and content collaboration platform, Nextcloud offers the widest range of add-on capabilities and integrations in the industry. https://nextcloud.com/compare/
In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.
As a contributor, ensure that you give full credit for the work of others and bear in mind how your changes affect others. It is also expected that you try to follow the development schedule and guidelines.
What do you suggest? A quick scan from outside can reveal some basic stuff, not detailed configuration problems or permission settings. A deeper scan could get legally difficult, and even then it’s doubtful. It’s more efficient to check directly on the system with on-board tools and then it’s quickly more general than just Nextcloud and more about how to secure a linux webserver.
Hi there, always good to have a lively discussion.
IMHO your technical analysis is quite correct and the scan service provided by Nextcloud GmbH seems to be reasonable. Please note I never gave any concern of my own on these aspects.
IMHO by mainly (or may I say: only?) addressing the technical aspects of the a.m. scan itself you may have almost completely misunderstood my approach from the beginning. Unfortunately, you may have missed my several core points, which – without any difference in priority by the below sequence – are:
As a home user when “expected that you try to follow the … guidelines” one may stick to the letter and thus may fall into the trap of outdated documentation, false advice and outdated links, unfortunately.
Nextcloud being a prospering FOSS project by “hard work and enthusiasm of thousands of people” can become a sustainable success by always seeking to improve where reasonable, I presume.
My standing concern as well as my recent reply to your “Don’t expect too much?” was not intended to question your expertise or the expertise of Nextcloud GmbH or others. IMHO there is no need to defend anything and this is a free world. However, a real world with real challenges and with utter facts like good ambitions paired with too many requests and too few resources or else mishaps. Marketing may advertise the some job but generally shall not define the job to devs or the business as a whole, I presume.
No offence and please let me ask you again freely and openly:
Would you call my a.m. concern unreasonable and a solution being not feasible by the web admin responsible in handling the many Nextcloud GmbH advertising and marketing online pages?
I guess you wouldn’t…
@kesselb – Hi good proposal and did you establish an issue?
IMHO this good idea may be misleading, unfortunately. Please note your proposal is not new to me and the last time I was not alone in the assumption that the issue cannot be placed as was expected. Furthermore, you may learn of my CC to a marketing person of the Nextcloud GmbH in the beginning of this thread. Please take the effort and read my thread as a whole, if I may.
AFAIK the a.m. page is outside the context of this repo due to:
@kesselb – Please be aware I was pinging at somebody in the background for some time already. And about eight (8) days ago I got a nice and friendly reply from Nextcloud GmbH and they assured me that somebody will address my a.m. issues and will check the web page accordingly.
As already written in this forum multiple times, you have to press the “trigger re-scan”-button and reload the page to get the right version displayed. The date stamp in front of the button shows from what date the displayed information is, like e.g.: