Owncloud-client does not verify TLSA-record (DANE)

[wioxjk]

Expected behaviour

Owncloud Client should verify TLSA record

Actual behaviour

Owncloud Client does not verify TLSA record

Steps to reproduce

1. Set up a invalid TLSA record

######################

It seems that the Owncloud-client does not verify DANE (TLSA-record).

[ckamm]

Yes.

This would be done in upstream libaries. The only Qt related issue I found was https://bugreports.qt.io/browse/QTBUG-54682 .

But it doesn't seem like DANE has received significant adoption, as far as I can tell neither Firefox or Chrome use it yet.

[wioxjk]

I am aware of that the adoption of DANE is slow :) But it would be a nice security feature for Owncloud to have that support. If Owncloud adds support for it - more will follow.

[guruz]

CC @peter-ha @richmoore

[peter-ha]

Chromium said "won't fix" years ago: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22

[wioxjk]

@peter-ha Since when did Chromium decide what the Owncloud cloud should implement? Also, that is almost 5 years ago. The internet has change alot since then.

Encryption is trending nowadays, and owncloud should set a example.

[peter-ha]

meh

[richmoore]

See also https://www.imperialviolet.org/2015/01/17/notdane.html

[wioxjk]

Atleast I hope you will give that option to us enterprise customers.

[michaelstingl]

@wioxjk enterprise customers please get in touch with enterprise support or your account manager. (https://owncloud.com/contact/)