Desktop: CRITICAL SECURITY ISSUE DISCLOSURE: End-to-End Encryption stores files as plain text on the server

This issue happens with the Nextcloud server 16.0.1, and Netcloud desktop client 2.5.2.

So did you enable the end to end encryption on the server? And i guess you had a password set on the client?

I have tested with android and linux desktop client and both can encrypt a folder and on the server i have encrypted files.

Yes, I enabled the E2EE module on the server. I did not set any passwords. The desktop client reported to me a long list of words as the password that I wrote down.

I first noticed the issue when setting up the Nextcloud server on a FreeNAS server, by installing the Nextcloud plugin through the web interface. I also tried again using the community VM from https://www.hanssonit.se/nextcloud-vm/ and got the same result.

Are you uploading files directly to the encrypted folder or do you have subfolders in it? It only works if you put files directly into the encrypted folder

Yes, I have subfolders. If this is not a supported configuration, then the client should warn the user about it.

Okay, I have verified that files in the root encrypted folder do get encrypted. However, this is an EXTREMELY serious usability issue. While it is technically a user-error that my files did not get encrypted due to having placed them in a subfolder, when it comes to encryption and possibly sensitive files the software must protect the user from such accidents.

I do consider myself as a tech-savvy user. If I can make this mistake, I would expect that many others would.

Note that the files would be automatically uploaded to the server before the user has any chance of correcting their mistakes, which means that if the documents are confidential, then they would already be leaked. This is not an acceptable outcome.

Yes, I have subfolders. If this is not a supported configuration, then the client should warn the user about it.

Some previous discussion:

• https://github.com/nextcloud/desktop/issues/774
• https://github.com/nextcloud/desktop/issues/816
• https://github.com/nextcloud/desktop/pull/1257
• https://github.com/nextcloud/end_to_end_encryption_rfc/issues/42

@anon471 Close this issue?

Yes. We can close this issue. There is nothing to add that has not been already been said.

I am honestly baffled and disappointed at the gross negligence that the Nextcloud team expressed in the way they handled this issue. If this was a project under my control, the E2EE feature would be pulled immediately, and all clients would immediately notify the users of possible compromise.

The fact that this bug has been known for months and no action is being taken shows that the Nextcloud team cares more about marketing and buzz than actual security. I don't know how I or anyone else can trust this project if or when they know that this bug has been known for months and nothing has been done about it.

This is not a technical issue; This is an organizational, trust, and accountability issue. I expect nothing less than an open letter with public apology from the Nextcloud team to all the users, and that's barely enough to restore trust. Other developers have lost faith in their products over much more minor misjudgements. I hope that the Nextcloud team will re-evaluate the severity of this issue very soon.

I'll close the issue. This feature has been marked experimental on our website, which it is. While we'd love to have it finished, we simply have to prioritize our work and focus on paying customers. We're hiring for our desktop client team, so this will be addressed once we have more dev resources. Of course, contributions are welcome, if you really consider this a serious issue - this is an open source project and a free product.

It's been more than 6 months.
@jospoortvliet While I understand that this is marked as an "experimental feature" and that this is an open source project, thus it takes time to implement this stuff, then this feature should be not available in the public version of Nextcloud for several reasons.

You're marketing Nextcloud as being "privacy oriented" and "secure" on Twitter and other social media while this essential feature has been broken for so long.
https://twitter.com/Nextclouders/status/1136911932206833665?s=20
https://twitter.com/Nextclouders/status/1126161084891770880?s=20
"Looking for a secure communication channel which doesn't leak the crucial meta-data of who-communicates-with-whom?"
https://twitter.com/nextclouders/status/960816208802205697?lang=en
and many more.

I have moved my cloud storage to OneDrive and have started using Cryptomator as an open source solution to encrypt my data. This program also works with Nextcloud, to anyone interested.
Unlike Nextcloud, they fix privacy and security oriented issues rather quickly.

As @anon471 has stated, this has been going on for too long for Nextcloud to be trustworthy. The Nextcloud team should issue an apology and a warning not to use E2EE until the issue is fixed, especially because many people use the feature and think their data is actually encrypted!

_Originally posted by @ncodeyx in https://github.com/nextcloud/desktop/issues/774#issuecomment-506973940_

I don't think this issue can be safely closed. I wholeheartedly agree with @ncodeyx that this lulls people into a false sense of security, it should at least be stated clearly in the description of the e2e app for nextcloud that the encryption does not encrypt subfolders.

I find @anon471's comments too harsh for an experimental feature of OSS. I also think few others not so constructive. This kind of attitude will piss off every OSS investor. If you are not sure about subfolders, you should have it checked, asked and tested.
Note: I am not associated with NextCloud, but I very much appreciate their work. This might be the one that breaks the MS and cloud monopoly.

@jmaris please note this is a duplicate of #774 and #816. That is probably the reason it got closed. For further discussion of this issue please refer there.