search

nextcloud / desktop

💻 Desktop sync client for Nextcloud
https://nextcloud.com/install/#install-clients
GNU General Public License v2.0
3.32k stars 839 forks source link

[Bug]: Invalid SSL cert pops warning every minute, encouraging unsafe choice #5396

Open NiklasBeierl opened 2 years ago

NiklasBeierl commented 2 years ago

⚠️ Before submitting, please verify the following: ⚠️

Bug description

Hello,

I was a bit torn on whether to post here on the form, but I think this matter deserves to be discussed among developers and should ultimately result in a change to code. I also know that the root cause for my problem is not necessarily the Nextcloud client itself. But I think we can make a small change that will make NC more secure for everyone, so please hear me out. :)

My Situation is as follows: I have my client connected to multiple NC servers, a few private ones and a few for work. This seems to be a common use-case among a lot of people that I know. It so happens that one of the server I am connected to for reasons of work has administrators that occasionally let a the SSL certificate expire. Of course that always happens when they are on vacation for the next few days and no one else can address it. ;) This causes an "invalid certificate" warning to be raised by the nextcloud client every minute.

I have tried to "pause sync" for that server. and it appears that I was already "signed out" from it automatically, but still: The warning shows up every minute. After trying around for a bit, I have concluded that the only ways I can "make the warning go away" are:

Now I personally, am a security-professional, so I naturally opt for the more secure options, even if its annoying. But talking to my coworkers, I discovered that a lot of them will just tick [ ] Trust this certificate anyway to get on with their lives. I know its kinda sad but lets be honest, that's how people work. :shrug: Of course, on one hand that is "their problem" now, but in another way it is like the NC Client is almost nudging them towards this course of action with the annoying repeated prompt. Which leads me to my proposal, see "Expected behavior".

Steps to reproduce

  1. Add a nextcloud server with an expired ssl certificate to your client
  2. Get spammed with pop-up notifications...

Expected behavior

Since expired certificates are a rather common problem, I think NC Client should handle the interaction with the user more "constructively". I.e.: Not nudging the user into making an insecure choice ("Trust this cert anyway").

The easiest fix would be to reduce the frequency with which this warning pops up. An even better way might be offering the user a better explanation of what is happening, what he can/should do and clearly mark the consequences of each, something like:

Cannot connect securely to <servername>: <Short reason>

<Button to show details of the certificate>

You should contact the adminstrator of your server to get this problem fixed. If you are the administrator see for common causes of this Problem.

For now you may choose to:

  1. Pause sync for this server and suppress this warning for some time. (This warning might come up again when you resume sync and the problem was not fixed.)
    • 1 Hr
    • 1 Day
  2. Trust this certificate anyway. WARNING THIS IS DANGEROUS, NC CLient can not ensure that it is communicating with the correct server! You might be under attack.

I believe this would do a lot to prevent people from trusting potentially bad certificates and it is probably not very hard to implement. :)

Which files are affected by this bug

?

Operating system

Linux

Which version of the operating system you are running.

Arch Linux

Package

Distro package manager

Nextcloud Server version

24.0.7

Nextcloud Desktop Client version

3.6.6-1

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

Nextcloud Server logs

No response

Additional info

No response

larsskj commented 2 years ago

I can elaborate on this problem: For me, it only hits a Linux client running on Ubuntu 22.04.

I believe the problems started after an expired certificate due to a Let's Encrypt/CertManager problem in my Kubernetes cluster (where NC is running). I quickly fixed the problem and NC is again running with valid certificates.

However, the Linux client keeps complaining even though the certificates are now fine: And it only hits the Linux client - I have clients running on Windows, Android, and iOS, and none of these complains, and likewise browser access works just fine and all browsers connecting to the NC instance confirms that the certificate is valid.

I have tried completely removing the setup from the Linux client and recreating the setup from scratch - but to no avail: The client keeps complaining.

NiklasBeierl commented 2 years ago

Hey @larsskj,

I think we are not exactly talking about the same problem here. The certificates on the server where indeed outdated and remained so for a couple of days, so the error messages where justified. My gripe with NC client is that the it prompts users with a warning about that very frequently and I believe this is not conducive to security, since it will eventually nudge people to engage in insecure practices (ignoring bad certificates).

larsskj commented 2 years ago

Well - no - it may not be the same issue, but to me it sounds like so, nevertheless.

My issue started with an expired certificate as well, and the NC client started complaining like you describe. However, when I fixed the certificate issue, everything started working again - except for the NC Linux client that keeps complaining about the certificate.

erebion commented 1 year ago

I also have this "warning" which basically asks me to trust whatever certificate it gets, instead of simply aborting to connect, every time I connect to a public wifi that has a Captive Portal.

I think the client should just try to re-connect and warn after maybe five minutes (without a button for just accepting a potential Person In The Middle certificate) so we can connect to a public wifi without getting warnings.

I use multiple Nextcloud accounts for myself and organisations and getting that multiple times is just very annoying.

Nextcloud Desktop could also do a Captive Portal check which would happen once it gets an invalid cert. If the check results in the detection of a Captive Portal, it would then wait for a moment before trying again and then warning the user.

Just wait for a moment and if it still does not work, then tell me. :)

but in another way it is like the NC Client is almost nudging them towards this course of action with the annoying repeated prompt. Which leads me to my proposal, see "Expected behavior".

Why, yes. This is basically a dark pattern that endagers people.

I think NC Client should handle the interaction with the user more "constructively". I.e.: Not nudging the user into making an insecure choice ("Trust this cert anyway").

Exactly this.

2. Trust this certificate anyway. WARNING THIS IS DANGEROUS, NC CLient can not ensure that it is communicating with the correct server! You might be under attack.

But please do not offer this. Errors in configuration of security relevant parts should be fixed and not ignored.

image

Instead just have a way to pin a certificate in the config file (if it does not exist already) and document that self-signed CAs should be added to the system's trust store.

cluck commented 10 months ago

This should get much higher priority.

We need at least a config option to prevent this popup, such that the client will silently retry until the certificate turns valid again.

jahway603 commented 4 months ago

I am also experiencing the same issue as OP.

avatar1024 commented 4 weeks ago

Yeah I agree, those messages popping up every minute is very disruptive.

In my case I get them whenever I use my laptop not connected to the internet.