[technion]

Owncloud wrote this blog some time back:

> https://owncloud.org/blog/owncloud-and-php/

The discussions there around a "low barrier for entry" being a major goal of the project is, in my view, opposed to high levels of security.

Edit: This quote showcases my point:

    “nobody will dig into a complex build system for a week 

before they send their first patch,”

[jospoortvliet]

At the very least, yes, it makes it a lot harder.

But, for many users, security is complicated and us making it easy to run ownCloud includes that. You won't find many competitors with such extensive documentation, nor automatic security setup tips and warnings in the ownCloud admin interface.

Second, this is a matter of focus. For home and small server users, ease of use trumps perfect security, that is a simple risk model assumption: your security has to be good enough, not perfect. Better than others and all that.

For enterprise users, however, security IS paramount and ownCloud lends itself for that. We get security audits by the financial institutions and others which run ownCloud and have extensive security hardening and best practices in place. Of course, these enterprise users don't use the many 'random' community apps, which is where the vast majority of security issues can be expected. I think that, for enterprise usage, you'll find that ownCloud security practice belongs to the best. And that is in no small part thanks to the awesome that is Lukas Reschke.

[microtonal]

For home and small server users, ease of use trumps perfect security, that is a simple risk model assumption: your security has to be good enough, not perfect. Better than others and all that.

As someone else points out in a neighbouring thread, OwnCloud is generally less secure than any of the large services, because of automated vulnerability scanning. If an OwnCloud user updates their server days or even hours to late, it can be game over and your data is on the street. It does not matter if the attacked service is OwnCloud or some other service with enough privileges.

This does not mean that open source and/or decentralized services are at a disadvantage, but you have to make the right security choices. The storage service[1] should never see unencrypted data - encryption at rest is not good enough. For instance, Bittorrent Sync provides this with their encrypted read-only keys. A cloud peer with such a key never sees unencrypted folder data. The only thing you lose when a cloud peer is hacked is a node in the swarm, but it'll never result in visibility of plain-text (unless you subvert AES-128). One SyncThing developer is currently also working on similar functionality for SyncThing.

For this reason, I would never recommend OwnCloud to anyone outside a large company that has the capacity to do continuous security auditing and monitoring, unless you apply client-side encryption (but then you could use Dropbox et al. as well if privacy is the primary consideration).

[1] I know that OwnCloud does more than just storage.

[jospoortvliet]

Self hosting does have this issue in general, yes. It is a bit harder to get at security vulnerabilities in ownCloud as was initially portrayed in the thread you mention (we publish CVE's 2 weeks after updates have hit the net, and these updates contain unmarked security updates).

Client side encryption is a great solution but you lose out on most of the benefits of the cloud.

Honestly, I don't know. I haven't seen any of such attacks but of course, with about 3 million users, ownCloud isn't a HUGE target. I just don't like the idea of giving up on self hosting ;-)

[jospoortvliet]

I also wonder how successful such automated scanning attacks are against a simple login screen. Esp compared with the fact that on the big services people routinely call the helpdesk and manage to get passwords reset and all that so they get into accounts. That won't happen with your private ownCloud...

With regards to 'usability first' vs 'security first' approaches, this is what 'security first' gets you: https://twitter.com/davide_paltri/status/676696685456826368

I rest my case ;-)