Nextcloud install via HomeDrive.io - Are there privacy or security risks?

I have recently setup a Nextcloud instance via Docker and HomeDrive.io. It was a lot easier to setup for a newbie than the manual way and it just ‘works’. No need for a domain name or setting up HTTPS etc…

This however worries me a little as it means I do not really understand my own server and how it is running. How do i know my Nextcloud instance is actually secure? If the end point is HomeDrive.io, can they theoretically see all my traffic? There seems to be nothing online about them but the companies own site which is reassuring but a bit vague and only one source.

I know they appear on the Nextcloud site under ‘Devices’ but have they been vetted, has the source code been checked? Who are the people behind the project? This seems a bit like trusting a third party service provider with my data. I just have to trust that the company treats updating and security seriously and that they actually delete logs and have no way of accessing my data.

Is there a real concern here or am I misunderstanding the way HomeDrive works?

Sorry i do not use https://www.homedrive.io but the connection between client and your server seems to be TLS/SSL end-to-end encrypted.

You can e.g. verify the TLS/SSL certificates (browser and on your server).

But i do not know something about performance and also you must trust them because of the source code. But you must also trust Nextcloud for the source code, …

Does the HomeDrive Fabrics service see my TCP/IP data?

All traffic transferred via HomeDrive Fabrics service are HTTPS/TLS, so the HTTP service traffic is always end-to-end encrypted. Users trust HomeDrive Fabrics service no more than an Internet service provider that is routing Internet IP packets.

So technically, yes, Fabrics sees all the TCP/IP data, but protecting user’s privacy and security do not rely on hiding these data from attackers anyways.

FAQ

Thank you for your reply devnull.

I understand the fabrics connection is end to end encrypted, but would it still be possible for Homedrive to have some kind of backdoor or unintended bug that allows themselves or attackers to see your data?

I don’t have the skills to review the source code and the project seems to be very small so I am not sure if anyone has reviewed it themselves? I tried searching online and there seems to be very little information on the project beyond its own website.

Not over the SSL connection. But since you have software from them installed on your system, of course you have to trust that software. But you must also trust the software from Nextcloud, for example. This could also contain bugs or backdoors. And if you use Windows, you have to trust Microsoft.

Yes it is a problem. Also i do not understand it.

Source Code (documentation)
Github/shanhuio/homedrv-build with Elsa / caco3
Github/shanhuio/homedrv-drv

Seems to be the sources on Github:
https://github.com/shanhuio/homedrv-build/blob/master/WORKSPACE.caco3:

repo_map {
    Src: {
        "shanhu.io/lib/dockers": "https://github.com/shanhuio/lib-dockers.git",
        "shanhu.io/pub": "https://github.com/shanhuio/pub.git",
        "shanhu.io/lib/misc-ts": "https://github.com/shanhuio/lib-misc-ts.git",
        "shanhu.io/lib/htmlgen-ts": "https://github.com/shanhuio/lib-htmlgen-ts.git",
        "shanhu.io/lib/style-ts": "https://github.com/shanhuio/lib-style-ts.git",
        "shanhu.io/homedrv/drv": "https://github.com/shanhuio/homedrv-drv.git",
        "shanhu.io/homedrv/drv-ts": "https://github.com/shanhuio/homedrv-drv-ts.git",
        "shanhu.io/homedrv/dockers": "https://github.com/shanhuio/homedrv-dockers.git",
    },
}

But why shanhu.io (above in JSON but also url)
https://github.com/shanhuio/homedrv-build/blob/master/readme.md

Building Steps

Step 0: Install Linux with Docker and latest Go language.

Step 1: Install caco3, our building tool:

go install shanhu.io/caco3/cmd/caco3@latest

Step 2: Sync down other repositories:

caco3 sync

Step 3: Build the containers:

caco3 build shanhu.io/homedrv/dockers/dockers

Why github dir on url?
https://www.shanhu.io/github