Why does Nextcloud requests these domains?

[TheLastProject]

server/settings/Controller/CheckSetupController.php

Lines 128 to 144 in da57aaf

	private function isInternetConnectionWorking() {
	if ($this->config->getSystemValue('has_internet_connection', true) === false) {
	return false;
	}
	$siteArray = ['www.nextcloud.com',
	'www.startpage.com',
	'www.eff.org',
	'www.edri.org',
	];
	foreach($siteArray as $site) {
	if ($this->isSiteReachable($site)) {
	return true;
	}
	}
	return false;

Why these URLs? Why does Nextcloud need to know if it can connect to these hosts? Our network person wants to know and I can't find this explained in the documentation.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #10941 (Nextcloud customiztion), #5405 (Nextcloud / direct_menu), #3911 (Slow Nextcloud), #104 (NextCloud / OwnCloud), and #4178 (Creating New Calendar in NextCloud does not function).

[kesselb]

For some features a working internet connection is required. If the check fails you should see a warning. It's possible to turn off external connections from nextcloud by changing a config flag.

When you build such a check it's common to test it with multiple hosts.
176b4d6 @rullzer

[TheLastProject]

"Some features"? Like, update checking? But that would fail if there's no way to connect to nextcloud.com anyway. The check only checks if those 4 hosts are reachable, which is a bit nonsensical and causes a false negative with the firewall policy of "applications can only talk to the hosts they really have to talk it"

[MorrisJobke]

"Some features"? Like, update checking? But that would fail if there's no way to connect to nextcloud.com anyway. The check only checks if those 4 hosts are reachable, which is a bit nonsensical and causes a false negative with the firewall policy of "applications can only talk to the hosts they really have to talk it"

True point, but we also don't know all domains for federated sharing for example.

The check is there to show a message to the sysadmin. There are multiple domains in there to verify it's not an outage of one of the sites listed there.

The network connection is needed to a) check for updates (updates.nextcloud.com), b) download updates via updater (download.nextcloud.com), c) fetch app updates (apps.nextcloud.com) and d) be able to use federated sharing (any domain that hosts a nextcloud).

[TheLastProject]

Okay, that's an understandable point. Thank you for the explanation.

Would it perhaps be worth considering making these hosts configurable in the config.php file? This would allow testing the hosts you know you'll communicate with and would also help in cases where the default list of hosts you check would be blocked (I saw some other issues on the issue tracker talking about nextcloud.com not being reachable through Russia, for example).

[korelstar]

I can confirm, that this is an issue if you want to operate Nextcloud in a high-secure data-center (e.g. in Germany a BSI-certified data-center with "Schutzbedarf hoch" or "Schutzbedarf sehr hoch" according to "BSI IT-Grundschutz").

Another option would be to provide a configuration variable to disable the check at all (i.e. asume, that there is an internet connection).

[TheLastProject]

There is already a variable to disable the check, see has_internet_connection on https://docs.nextcloud.com/server/14/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=has_internet_connection. I had to look into the code to understand it related to this though.

[korelstar]

But if I understand this correctly, when setting has_internet_connection=false, you can't use the update-checker, app-store etc. anymore, since Nextcloud asumes that you have no Internet connection.

[dirigit]

IMHO a further improvement over configurable hosts to test would be no automatic test but a button to perform update test manually (might be cron capable as well).

As it is now there is no personal data transferred but, tested hosts know about NextCloud is running there.

Issue 1: Who knows about content of active hosts file or setup of DNS being involved?
Issue 2: Is there no leak in NextCloud for sure?

As a result this behaviour is a security bug by design.

Nothing is unhackable. (tm)

[MorrisJobke]

But if I understand this correctly, when setting has_internet_connection=false, you can't use the update-checker, app-store etc. anymore, since Nextcloud asumes that you have no Internet connection.

Correct.

IMHO a further improvement over configurable hosts to test would be no automatic test but a button to perform update test manually (might be cron capable as well).

This check is only done to show it on the setup checks in the admin settings. Even if those hosts are not reachable the updater as well as the app store should work without problems.

As a result this behaviour is a security bug by design.

We don't expose anything here. We tried to choose hosts that have quite high dat protection standards as well as a good morally understanding for this kind of stuff. Also it's easily possible to scrape for example shodan for Nextclouds for example. So if you have security concerns that a web service can be hacked, then you should not put it in the internet at all. Beside that we can look into improving this. But currently it is not high on the priority list. If you really wish to have it gone: edit the file and you are safe™ again.

[violoncelloCH]

@MorrisJobke Couldn't we just check against domains Nextcloud connects to anyways? So check the Nextcloud domains and all known, trusted federations?

[dirigit]

@MorrisJobke Pulling the plug should be common behaviour since Wndws is distributed.

Sad enough but, it's far from reality nowadays. In between (2017) there has been at least one kind of cheap keyboard (less than $5) identified sending every key stroke to a chinese server. Even at mainboards of high end systems chips not being existant at original mainboard design and with "unknown functionality" are detected. Go figure.

Trouble here is spreading information to several sites without being known by average administrator - no public documentation, targets only visible in source and when analyzing network traffic. That's what I cover with "by design".

Related to security and compliance:
I.e. sites being located in The Netherlands do not have the level of compliance to GDPR like it's often common in Germany in between. There is another thinking about it. Not to mention sites being hosted in U.S.A. or by an U.S. american company even in Germany (see law about U.S. homeland security and changes which happened this year).

Don't get me wrong but:
No matter which business model you have - everything is a question of trust and money at the very end. Especially for small companies price of support is a very relevant factor as well as trust. There must be some balance because they don't have resources to educate themself in every area (please, don't say "you get what you pay for" ;) ).

[ghost]

Just to put this into perspective: I'm not a nextcloud dev, but I'm pretty sure the only "privacy"-related impact is that the operators of those sites could log that your nextcloud instance as a whole exists.

Therefore, this should have absolutely zero privacy impact on the actual users on your instance - so it only possibly affects the privacy of the person owning the entire instance, and only in the special case where it's not public already anyway, and only affects it as much as the existence of the instance being confirmed.

I'm not saying that's not necessarily a problem for some people, but at least for the regular end user of the instances, I don't see the impact.

[korelstar]

For me, this is not about privacy, but about IT security and respective arrangements that have to be fulfilled if you are working in a high secure data center. I know, this is not easy comprehensible, but please have a look at BSI Grundschutz and respective certifications.

[ghost]

this is not easy comprehensible

Might be if you were more concrete about it. Do these certifications include can't connect to external foreign country host via HTTP? After all, nothing is done with the test result and no information about your local instance is passed to these sites other than the mere existence, so the room for potential intrusion should be quite miniscule. (These websites are not actually parsed and/or locally integrated somehow, if I understand the code correctly it just checks that the HTTP request works and then does nothing with the downloaded result) I'm not the person in charge of fixing or not fixing this bug though, I'm just curious

[rullzer]

I.e. sites being located in The Netherlands do not have the level of compliance to GDPR like it's often common in Germany in between.

I would like to see proof of this. Sure some sites in the Netherlands do not comply with the GDPR but they can be reported and are handled. Just like I would bet money on it not all sites in Germany are GDPR complaint.

Also I can only connect this to www.startpage.com which in general is trusted to be a very privacy friendly search provider.

Nothing is unhackable. (tm)

True. So best not to connect any of your devices to the internet.

---

Anyway. As mentioned above we do not consider this a security bug. We run a simple check to tell the average administrator if there might be a problem with their setup. Firefox for example also checks a special URL to detect capative portals.

Having said all that this is FOSS and we do like to improve things step by step.

We always welcome contributions to our documenation. So feel free to add a section there on the current behavior.

And if somebody has a PR to improve this handling here please do submit it. Keep in mind that we want to keep things easy for the average user. But a PR that improves this handling with proper tests is certainly something we can take a look at.

[dirigit]

@rullzer When you want to get a proof about more lax handling of GDPR in The Netherlands than in Germany you "only" have to dig a little in some search engine of your choice.

In general I'm in IT since very long time as well as BSI Grundschutz is a minimal standard for me since long time. But, at the end it's all a question of how much money a somebody is able and willing to spend for his environment to have more "freedom" without lowering security.

Nevertheless, an old general rule for security:
Deny anything first, permit as little as possible.

Spreading information without knowledge about and explicit allowance is simply a "no go". It opens a can of worms for sure and raises costs for security exponential (not linear).

Related to web technology:
Usage of CDNs is doubtfull as well. Latest when it comes to privacy it's a "no go".
Other examples are some CAPTCHA implementions.

Related to GDPR: It's in force since 2016 but, most people ignored it. Therefor implementations are lacking needed features "by default" almost everywhere (W10 is only one example).

[ghost]

And what is the information you consider spread? Your nextcloud server's ip address, violating the privacy of whom exactly, your company running it? Or the web hoster? CDNs are different, since end users are exposed to them - unlike to this mechanism.

So unless someone here is a lawyer and says otherwise, I kind of doubt this issue is an actual GPDR problem... (disclaimer: not a lawyer myself)