PrivacyTools.io - Self-Hosted Cloud Server Software

Hey

Does anybody know why Nextcloud is only listed in “Worth Mentioning”?

I found no explanation in Issue tracker https://github.com/privacytoolsIO/privacytools.io/search?q=nextcloud&type=Issues&utf8=✓

They recommend in first place

  • Seafile
  • Pydio
  • Tahoe-LAFS

Only in https://privacytoolsio.github.io/privacytools.io/#cloud Encrypted Cloud Storage Services NextCloud has a top place.

rgs

Perhaps they have a set of definitions they go by, for which others more closely align? Who knows.

maybe security features? share dialog

seafile

Pro Offers an option to encrypt files client-side
All files can be encrypted with AES 128 bit encryption before syncing with the server. Importantly, the feature

Client-side encryption NC doesn’t have yet, but passwords and expirations on shares are there.

1 Like

great. I don’t need client side enc, because then don’t see the files in web interface (MP4 and JPEG)

1 Like

It’s a regular topic of conversation and the iOS client supports it, but indeed without the keys on the server you don’t get to make use of the files on anything but the device that uploaded it, and with the keys the encryption is moot.

Arguably having it would be better than not for those who want it but it’s still a work in progress…

I’m not sure it matters too much not being top of the list in both categories on the site, though perhaps @jospoortvliet might be interested in having a look.

Pffff. Not sure if I want to get in a conversation there. Thing is, they have the feature ‘client side encryption’ even though it is worth absolutely nothing without external verification and review of the self-developed ‘security algorithms’. Example: Seafile at one point used a ‘random number’ they had hard-coded in the source. As in, anyone with access to the source code (which is on github…) could read anything, always. That one was fixed after OUR security guy pointed it out to them but there is plenty more where that came from I am sure, negating any protection the ‘encryption’ offers. So it is more of a false sense of security rather than real security which is offered, especially as neither have a decent security development process or any security people that I know off, nor a Security Bug Bounty program to provide some incentive to report security issues.

But real security is quite invisible while a checklist on a web page is visible. It is the same situation with Telegram - their security code is also home grown and security experts consider it useless. But people use it because it is E2E encrypted. whoohoo! So SECURE! :cry:

Anyhow. Explaining to someone who knows nothing about security that you can’t trust such homegrown solutions is like explaining climate change to a laymen climate change denier: they will think that the cold winter was proof that there’s no global warming while in reality, the local weather isn’t even relevant to the conversation in the first place.

You could ask why the most popular solution (Nextcloud+ownCloud) isn’t mentioned. If they are simply not aware of the relative size of the projects you could point to our earlier blog about statistics - of course, the amount of development going on doesn’t say everything about users but it gives an indication I guess. If the reason is that Nextcloud has no client side encryption you could of course ask if the encryption provided is built on an existing tech or was self-built and if so, if it has been examined by any experts, if there are any papers about it etcetera. They might care, or not. Perhaps one of them knows security stuff and is willing to spend 10 minutes investigating the projects, that would probably result in them dropping those three. But if not I wouldn’t have a fight about it.

I still far prefer people to use Seafile or Pydio than Dropbox and having a fight with ppl who promote open source because they don’t promote the best solution but something slightly inferior – let’s not do that :wink:

Those users that really care about our advantages in security/ease of use/scalability or our features will end up with Nextcloud anyhow, I think. Those who don’t are fine with Pydio or Seafile.

2 Likes

and sorry for the long answer :wink:

BTW having a good look at the page, I’d actually would prefer to update the Nextcloud description pointing out it also does calendar, contacts, audio/video calls, chat, real time document editing and much more - much more than the others.

1 Like

Oh, if you want links:
https://news.ycombinator.com/item?id=11049137
well, or try to find security advisories of Seafile. I could only found some from 2014 which means either no bugs were found since then (riiiiight) or they have no process for that.
Pydio has some security documentation but I can’t find security advisories either. It probably means they never found security bugs, obviously because there aren’t any :grimacing:

Now again, I don’t want to go throw that at them, so - well, let’s hope a journalist or so is willing to write up a real analysis of these things to guide users. Or users will have to do their own research…

Maybe at one point we can do a blog about security and how people can determine if a project takes it serious. Stuff like “do they have documented their security approach? do they have security advisories on their website? etc”

1 Like

I think there has nothing be done regarding this because they had the issue between Syncwerk and Seafile. I’m active in the Seafile + Syncwerk forums as well and as far as I can tell, there is no security advisories. :-/ But then again I am neither Seafile nor Syncwerk. Just a member in the community who wants good software to be brought to the people :slight_smile:

1 Like

The last Pydio security audit was from 2013 it seems…

https://pydio.com/en/docs/kb/security/pydio-security-model

So @jospoortvliet has had his Weetabix today.

:laughing:

1 Like