You should not advertise Seafile as a safely encrypted solution. #490

New Issue

Closed

opened 2018-06-30 12:23:46 +00:00 by RichardRMatthews · 4 comments

RichardRMatthews commented 2018-06-30 12:23:46 +00:00 (Migrated from github.com)

Copy Link

In my last issue about Seafile I talked about issue 350

But maybe an even bigger problem is that Seafile uses only 1000 rounds of sha256 for its Key-derivation-function. In the Seafile user manual it says :

Encrypt the file key with the user provided password. We first use PBKDF2 algorithm (1000 iterations of SHA256)

It should be said that in the year 2018 bcrypt ,scrypt or argon2 would be a far better choice , but regardless of that 1000 rounds are not enough. And that it not just me being paranoid. A qoute from pbkdf2s Wikipedia page :

When the standard was written in the year 2000 the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. As of 2005 a Kerberos standard recommended 4096 iterations,[3] Apple iOS 3 used 2000, iOS 4 used 10000,[4] while in 2011 LastPass used 5000 iterations for JavaScript clients and 100000 iterations for server-side hashing.

This together with the issue 350 ( which is unfixed for almost 5 years ) , can only mean that the developers of Seafile don't take Security as serious as they claim.

In my last issue about Seafile I talked about issue [350](https://github.com/haiwen/seafile/issues/350) But maybe an even bigger problem is that Seafile uses only 1000 rounds of sha256 for its Key-derivation-function. In the Seafile user manual it says : > Encrypt the file key with the user provided password. We first use PBKDF2 algorithm (1000 iterations of SHA256) It should be said that in the year 2018 bcrypt ,scrypt or argon2 would be a far better choice , but regardless of that 1000 rounds are not enough. And that it not just me being paranoid. A qoute from pbkdf2s Wikipedia page : > When the standard was written in the year 2000 the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. As of 2005 a Kerberos standard recommended 4096 iterations,[3] Apple iOS 3 used 2000, iOS 4 used 10000,[4] while in 2011 LastPass used 5000 iterations for JavaScript clients and 100000 iterations for server-side hashing. This together with the issue 350 ( which is unfixed for almost 5 years ) , can only mean that the developers of Seafile don't take Security as serious as they claim.

👍 11

nenadandric commented 2018-08-12 10:15:42 +00:00 (Migrated from github.com)

Copy Link

I don't get this?
Seafile is not recommended since its client side encryption is not good enough, while Nextcloud is on the list, even though it doesn't have E2EE (i.e. it's still in alpha)? If you self host, then it doesn't matter since server side encryption is good. If you use one of available providers, than it is easier for them to access your Nextcloud files than those on Seafile server with E2EE.

So until Nextcloud client side encryption is ready for use, and audited, either both of these platforms should be recommended or not recommended.

I don't get this? Seafile is not recommended since its client side encryption is not good enough, while Nextcloud is on the list, even though it doesn't have E2EE (i.e. it's still in alpha)? If you self host, then it doesn't matter since server side encryption is good. If you use one of available providers, than it is easier for them to access your Nextcloud files than those on Seafile server with E2EE. So until Nextcloud client side encryption is ready for use, and audited, either both of these platforms should be recommended or not recommended.

👍 9

ghost commented 2018-08-15 09:37:09 +00:00 (Migrated from github.com)

Copy Link

@kewde

@kewde

kewde commented 2018-08-23 10:23:47 +00:00 (Migrated from github.com)

Copy Link

@nenadandric feel free to make a PR to remove the whole section.
Perhaps S4 is a decent solution, but ideally we have a section with at least 2 decent projects.

@nenadandric feel free to make a PR to remove the whole section. Perhaps S4 is a decent solution, but ideally we have a section with at least 2 decent projects.

Corxo commented 2021-08-01 09:18:25 +00:00 (Migrated from github.com)

Copy Link

3 years has passed, is this still a reality or the seafile team has fixed this issue?

3 years has passed, is this still a reality or the seafile team has fixed this issue?

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

master

dependabot/bundler/nokogiri-1.13.6

dependabot/bundler/addressable-2.8.0

freddy-m-patch-3

pr-add_RemoveMyPhone_sponsor

pr-browser_cleanup_1257_1328_1430

freddy-m-patch-2

freddy-m-patch-1

pr-vpn_hated_one_video

cdn

update-nitrohorse-image

promote-metager-to-card

hardware

pr-add_azirevpn

pr-add_mailfence

shop

1673

pr/1658

i18n-simple

sponsorship-edits-nov2019

i18n

ipfs

blacklight447-ptio-patch-3

blog

remove-windows-icons

pr/1147

i18n-testing

add-beautify

Labels

Clear labels   

🔍🤖 Search Engines

  

approved

approved, waiting for a PR

  

dependencies

Pull requests that update a dependency file

  

duplicate

  

feedback wanted

  

high priority

  

I2P

The Invisible Internet Project (I2P)

  

iOS

  

low priority

  

OS

Operating Systems

  

Self-contained networks

  

Social media

  

stale

A label for stalebot if it gets added

  

streaming

Anything related to media streaming.

  

todo

  

Tor

Anything covering the Tor network

  

WIP

active work in progress, do not merge or PR (yet)!

  

wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

  

XMPP

Extensible Messaging and Presence Protocol

  

[m]

Matrix protocol

  

₿ cryptocurrency

  

ℹ️ help wanted

  

↔️ file sharing

  

⚙️ web extensions

Browser Extension related issues

  

✨ enhancement

  

❌ software removal

  

💬 discussion

  

🤖 Android

  

🐛 bug

  

💢 conflicting

  

📝 correction

Correction of content on the website

  

🆘 critical

  

📧 email

  

🔒 file encryption

  

📁 file storage

  

🦊 Firefox

Firefox & forks, about:config etc.

  

💻 hardware

  

🌐 hosting

  

🏠 housekeeping

Anything primarily related to site cleanup.

  

🔐 password managers

  

🧰 productivity tools

  

🔎 research required

  

🌐 Social News Aggregators

  

🆕 software suggestion

  

👥 team chat

  

🔒 VPN

Virtual Private Network

  

🌐 website issue

*Technical* issues with the website.

  

🚫 Windows

  

👁️ browsers

  

🖊️ digital notebooks

  

🗄️ DNS

Domain Name System

  

🗨️ instant messaging (im)

  

🇦🇶 translations

Anything covering a translated version of the site

No Label

🔍🤖 Search Engines

approved

dependencies

duplicate

feedback wanted

high priority

I2P

iOS

low priority

OS

Self-contained networks

Social media

stale

streaming

todo

Tor

WIP

wontfix

XMPP

[m]

₿ cryptocurrency

ℹ️ help wanted

↔️ file sharing

⚙️ web extensions

✨ enhancement

❌ software removal

💬 discussion

🤖 Android

🐛 bug

💢 conflicting

📝 correction

🆘 critical

📧 email

🔒 file encryption

📁 file storage

🦊 Firefox

💻 hardware

🌐 hosting

🏠 housekeeping

🔐 password managers

🧰 productivity tools

🔎 research required

🌐 Social News Aggregators

🆕 software suggestion

👥 team chat

🔒 VPN

🌐 website issue

🚫 Windows

👁️ browsers

🖊️ digital notebooks

🗄️ DNS

🗨️ instant messaging (im)

🇦🇶 translations

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#490

No description provided.