๐ Nextcloud: Default Nextcloud allows http federated shares
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
userA on serverA runs on http only userA sends a federated share to userB on serverB userB is a normal user so he has no clue that there is no secure transport used and accepts the share all the data written to and read from is now no longer protected by TLS Impact While maybe a bit far fetched. But this would allow for man in the middle attacks. Nextcloud just seems to allow plain http communication by default. It is in my opinion not sensible at all to expect end users to know the difference here. I propose: Allow only https by default (certificates are easy and cheap these days) If it is for local debugging then only allow http when debugging If really needed for some edge case make this explicit opt in in... ...