I really don't understand what this article is trying to say. About 2/3 of it seems to be an explanation of an SSL Labs scan. It's good to get an SSL Labs checkup for your site, but that's like 0.5% of your overall security problem.
None of this concerns me for an application like NextCloud. Deploying TLS properly is table stakes. What does concern me: this app is written in PHP, famous for such a horrific design that it frequently leads developers down dangerous code paths that result in remotely exploitable bugs.
Given the size of the codebase and the insecure language and frameworks it's built on, I would consider a NextCloud instance that touches the internet to be at enormous risk of compromise.
If you want to investigate my gut there are a million and one things having to do with its architecture and implementation that you want to look into. None of those things involve what TLS cipher suites it uses.
While it is true that PHP is evolved more than it is designed, and as such retains the hallmarks of earlier generations and sometimes surprises you with its anachronisms, it is not true that this makes it impossible to create secure software. It just takes more discipline to avoid cutting corners. The same goes for many other languages and platforms so PHP is not alone here.
That aside, Nextcloud and similar user-extensible platforms are very hard to secure as it only takes a single slip of the thought by a single app author to open up the doors for unwanted visitors. As it is just the flexibility which gives Nextcloud (et al) its appeal this is a hard problem to solve.
[+] [-] tptacek|9 years ago|reply
[+] [-] simplehuman|9 years ago|reply
[+] [-] dguido|9 years ago|reply
Seriously WTF are the PHP devs smoking? Just look at these tables: https://secure.php.net/manual/en/types.comparisons.php
Given the size of the codebase and the insecure language and frameworks it's built on, I would consider a NextCloud instance that touches the internet to be at enormous risk of compromise.
If you want to investigate my gut there are a million and one things having to do with its architecture and implementation that you want to look into. None of those things involve what TLS cipher suites it uses.
[+] [-] LukasReschke|9 years ago|reply
If someone here feels challenged: We look forward to your reports. :)
[+] [-] Yetanfou|9 years ago|reply
That aside, Nextcloud and similar user-extensible platforms are very hard to secure as it only takes a single slip of the thought by a single app author to open up the doors for unwanted visitors. As it is just the flexibility which gives Nextcloud (et al) its appeal this is a hard problem to solve.
[+] [-] chrisper|9 years ago|reply
The upside is that you don't have to install much serverside.
[+] [-] bitJericho|9 years ago|reply
[+] [-] newsat13|9 years ago|reply
* What do you do for mobile access?
* How do you share to a single person or a group?
* What do you do for team collaboration?