NC App in transit encryption, avoid L7 firewall/inspection

tonyalbers · December 23, 2024, 2:58pm

Hiya,
I know the NC Client uses TLS to talk to a NC server, but I have a worry:
At a customer site, they are going to implement a) a L7 firewall which does packet and session inspection, and b) forward proxying using a MITM proxy.
This means that even though the NC client and server uses TLS, the server certificate will be replaced by the MITM proxy with its own certificate. This again means that TLS encryption is worth nothing since the proxy will decrypt traffic so that the L7 firewall can inspect it.

My question is: Does the NC client use any encryption on top of TLS to prevent this?
I know that E2EE is a possibility, but I’m not interested in storing encrypted data on the NC server.

Thanks,

/tony

wwe · December 23, 2024, 5:27pm

Security measures like TLS inspection don’t happen magically. As you describe the proxy will have it’s own CA and replace all the certificates in order to brake TLS encryption. As long you don’t import this CA certificate it is impossible to brake the encryption… but usually you will have no connection anymore. It is the choice of the company admin to allow or block and inspect specific connections. and there are always options to bypass TLS inspection for trusted and known-good services like banking etc… you can ask the admin to create an exception for your Nextcloud.