Post B20KofQ2piXFa3UZIO by zzt@mas.to
(DIR) More posts by zzt@mas.to
(DIR) Post #B20KoZhu4PFtrhnkIa by zzt@mas.to
2026-01-05T22:17:07Z
0 likes, 1 repeats
please stop playing fucking games with the meaning of end-to-end encryption, thankscc nextcloud (whose end to end encryption is effectively an expensive inconvenient no-op, see https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf which the project never fixed or even acknowledged), seafile (whose “end-to-end” encryption sends your password and key to the server), fucking proton (whose end-to-end encrypted LLM features aren’t end-to-end encrypted at all), et ale: see replies for an important note on the nextcloud paper!
(DIR) Post #B20KofQ2piXFa3UZIO by zzt@mas.to
2026-01-05T22:17:39Z
0 likes, 0 repeats
no I’m not tagging any of the project accounts I listed, they don’t give a shit
(DIR) Post #B20KofQkn56PcFp8Ou by zzt@mas.to
2026-01-06T08:21:30Z
0 likes, 0 repeats
a note about the nextcloud paper:some asshole who values fandom over security has tried to tell me I’m spreading misinformation about nextcloud because they claim the vulnerabilities in the Share with Care paper have been acknowledged and fixed by the project.surprise, that’s misinformation. the lesser vulnerabilities in the paper, the Ghost Key Attack (chapter 5.2) and IV reuse (5.3) have been fixed.the key insertion attack (5.1) which renders e2e a no-op has not been fixed.
(DIR) Post #B20Kol63iw77BoBgye by zzt@mas.to
2026-01-06T08:25:10Z
0 likes, 0 repeats
I’m gonna be honest, it’s hard for me to give a shit that 5.2 and 5.3 have been fixed when 5.1 allows arbitrary users to cause your client to reencrypt your files with their key. that’s a fucking amazing vulnerability to have in an e2e implementation, and the paper correctly says it’s a fundamental flaw in the cryptosystem. It can be mitigated, maybe, if you give up on major functionality (sharing) and no other functionality touches this part of the cryptosystem. that’s pretty fucking awful.
(DIR) Post #B20Kol6lgIgHE0WG5A by zzt@mas.to
2026-01-05T22:58:49Z
0 likes, 0 repeats
“check out our encrypted self-hosted cloud!”I look at the encryptionit’s TLS that everyone turns off in deployments cause their reverse proxy takes care of it
(DIR) Post #B20KotmXQsqY7s7jIe by zzt@mas.to
2026-01-06T08:27:30Z
0 likes, 0 repeats
the fucking ass in my replies linked https://github.com/nextcloud/desktop/pull/7333 as a supposed fix for 5.1. I’m rate limited on GitHub from researching this horseshit so it took me a while to open the link.surprise, it’s a fix for 5.2. it’s trivially obviously a fix for 5.2. they searched GitHub for a random fix that looked related cause for them, using nextcloud is more important than being safe. wild shit.even wilder, they accused me of trying to damage a project that I honestly wish I could use and recommend
(DIR) Post #B20KozOIZv1RWQpSLo by zzt@mas.to
2026-01-06T08:30:34Z
0 likes, 0 repeats
as always, I’m being very mean about this stuff because it’s important. good security beats manners, fandom, and all manner of other shit. once your privacy is blown, you don’t get what you’ve lost back. no I won’t be contributing fixes to nextcloud because it seems to me it’s fucked in terms of its security stance. if that ever changes, I’d love to see an audit that proves it.