Ignore Certificates for Windows Client

Our IT department uses kind of a middleware(?) for certificates which results in nextcloud getting a “new one” to trust each time the computer is restarted. As I cannot tell anyways if the certificate is to be trusted and just assume that everything is okay I wonder if its possible on the windows client to ignore certificates altogether. I think I saw something for this on linux a while back when searching but never found an answer for windows. Hoping for a oneliner in nextcloud.cfg. Or maybe there is a better way. Help is much appreciated.

Can you post more details? Is it the Windows Nextcloud client or a browser? Can you post the message and/or the certificate? It is a kind of SSL inspection? For normal websites ssl inspection makes no problems (no new messages) because of the CA of the SSL proxy is accepted from the browser manipulated certifcate list.

The Risks of SSL Inspection

Because of security issue ask your IT department to stop ssl inspection.

I think they will rather say that one should not connect to personal network services using company devices and then block the access. Well, that’s at least what my company would do if I would ask that question. :wink:

Companies have a legitimate interest to know what kind of data is going out of the company network and of course what is coming in (malware etc…) In our company we have a seperate “guest” WLAN without SSL inspection, to which eployees can connect their personal devices in order to access things like their personal Nextcloud instances.

Not sure if you really want that, asuming that you are trying to install the Nextcloud Client on a company device, which you probably shouldn’t do in the first place. Regardless of whether you get it to work (not sure if this is possible), the company would be able to see all the data you transfer in plain text including your password. And that’s something that I personally wouldn’t want them to be able to see.

And in general, I think it’s better to separate personal IT infrastructure and business infrastructure. That prevents you from getting into a situation that could be, let’s say, legally problematic and in the worst case could even cost you your job…

@bb77
If the user uses client side encryption e.g. Nextcloud End to End Encryption the ssl inspection does not work. :wink: But normally they do not fully deny the access which would be consistent. They only e.g. ask every time for the certificate @philsson wrote above. Not really a security feature. :wink: They inspect the ssl traffic. But e2e is additional end-to-end encrypted in the application. This has nothing to do with ssl. you could even do without ssl.

Yes, if OP is using it.

Also it brings a lot of it’s own issues and limitations… :wink:

1 Like

After reading your replies I just uninstalled the nextcloud client. You have some good thoughts and points here and I don’t really think IT will care what data one uses it for. This means I won’t be updating you about the exact message, unfortunately for the curious ones. In practice from a policy perspective it might not be different from occasionally connecting a USB drive or sending oneself an email, but having a permanent connection might be seen a bit differently I guess.

Yeah sure I was just generally speaking. It depends of course on how much effort they put into locking everything down, which of course doesn’t mean that just because something works, you should automatically assume that it is allowed. Also the fact that something is allowed or not explicitly forbidden, doesn’t necessarily mean that it is a good idea to do it. :wink:

Of course there are also companies where the client devices are completley locked down. You can’t even connect a USB drive without special permissions or access the internet without using the company network. Also all email traffic can be routed though a proxy where the mail attachments will be scanned for malware. It is also possible to scan the content of the email and attachements itself for keywords in order to limit spam messages and to detect certain content that is not allowed to be sent.

But even if your company doesn’t do any of that, unlike with https traffic, where they would be mostly blind without SSL inspection, they can of course see everything that you are sending or receiving via the company mail servers. Also, in most countries or states, companies are required by law to preseve emails for a certain period of time. So the messages remain not only stored on the mail server, but they usually also will be archived, which means even if you delete messages in your mailbox, they could still restore it from the mail archive.

I think the bigger risk is email and usbsticks because in this cases the stupid user can contacted directly. If your company allows clouds like Dropbox, Google Drive, M365 or millions of Nextclouds you must first find the correct cloud and the correct file with the malware. Maybe if someone sends you an email with only a link not filtered from the scanner. But what is the problem than: the email with the link or the link to the cloud? I think the email is the problem. :wink:
Also you do not need a cloud. You can copy malware on every webserver and link to it in email. Some company try do use negative lists. Does not work really good, too.

That’s one of the reasons why some comanies want SSL inspection. :wink: But there is of course no such thing like a 100% detection rate. Locking down client devices, SSL inspection and scanning email messages are only one part of the battle. You also have to train your users to be more aware of security risks.

Also with new protocols like HTTP/3 / QUIC it will get much harder to inspect traffic. And if you for some reason need to use services like Google Workspace, M365, Dropbox in order to run your business you cannot block access to these services entirely. At the end of the day it’s a never ending cat and mouse game. :wink: