Hacker News new | ask | show | jobs
by LukasReschke 3668 days ago
I'd like to point you to https://statuscode.ch/2015/09/ownCloud-security-development-... and make you aware of https://seacloud.cc/group/3/wiki/security-records.md and you should probably consider who reported the last critical vulnerability.

Only because a project is serious about actually publishing vulnerability data does not make it necessarily more insecure (or secure).
1 comments
gstuartj 3668 days ago
I agree. Just pointing out that the specific problem the above poster mentioned as a reason to choose OwnCloud also is similarly true of OwnCloud.

https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-t...

link
LukasReschke 3668 days ago
The impact is a different one though. In that scenario pointed by Hanno somebody needs to have access to the storage which already requires some kind of previous gained access. What could be done by an attacker then is to infect EXE files or so.

In the case of Seafile one could simply change passwords of any user etc.

But yes, crypto is hard and I agree that the way we did it at ownCloud is far away from the best way. :-)

link