I noticed today that the nextcloud app for windows transmits the password unencrypted. This is not a huge huge deal for me because its in my network and I have a firewall but I do think it should not be so readily available to snoopers. Any ideas about why this is?
Are you not using https??
I am, the app does not use ssl, uses “PROPFIND /remote.php/dav/files/admin/” to call the server, PROPFIND is a (deprecated) HTTP protocol and shouldnt be used. My nextcloud server is behind my gateway, I use reverse proxy to access it, force ssl and use a cert from said reverse proxy. That way I can have 1 cert I configure on my gateway and use reverse proxy to do SERVER.domain.com and have the same cert covering them all. Problem with using propfind http calls are that it triggers policy violation on one of my firewalls and it gets blocked, I realize the http is inside the network but instead of “PROPFIND /remote.php/dav/files/admin/” Id rather use “PROPFIND https://cloud.domain.com/remote.php/dav/files/admin/” forcing ssl so I dont keep having to file reports for corporate violation with the insecure call.
Edit: I realize propfind is webdav related, maybe why its being used but its still annoying that the site is secure, content is secure, it is impossible to access without ssl because I force redirect using apache reverse proxy, its only the windows app that transmits data over http, and only for that. I have logs of this happening as well and would love to get an opinion.
Which firewall do you use? Do you run your client on the internal network using http?