https://rullzer.com/ Recent content on rullzer.com Hugo -- gohugo.io en-gb (c) 2022 Roeland Jago Douma - This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/) Mon, 21 Nov 2022 00:00:00 +0000 https://rullzer.com/2022/11/21/using-hibp-to-detect-credential-stuffing-attacks/ Mon, 21 Nov 2022 00:00:00 +0000 https://rullzer.com/2022/11/21/using-hibp-to-detect-credential-stuffing-attacks/ A few weeks ago I was asked to have a look at a system. I can’t really share which system but it is not really important to the story. This system is not that unique in any specific way. Users can register an account. Users can login and do things. All the things one would expect from a website that offers a service these days. I must say the people running the website even had things pretty well setup. https://rullzer.com/2022/10/13/strict-transport-security-analysis/ Thu, 13 Oct 2022 00:00:00 +0000 https://rullzer.com/2022/10/13/strict-transport-security-analysis/ I worked with the Strict Transport Security header when I was still at Nextcloud. However my interest was reignited this week after attending the Practical TLS and PKI training by Scott Helme. So I started digging into the crawler.ninja dataset to see what I could get out of it. What is the Strict Transport Security Header? But first things first. For details read the mdm docs. But in short it comes down to a header a webserver can set on sercure requests to tell the client to only connect securely to that host for a given time. https://rullzer.com/2019/09/06/certificate-lifetime-analysis/ Fri, 06 Sep 2019 00:00:00 +0000 https://rullzer.com/2019/09/06/certificate-lifetime-analysis/ Currently a vote is ongoing in the Server Certificate Working Group. The vote is with regards to the SC22 ballot that would limit certificate lifetime to a maximum of 1 year. Due to the discussion and controversy around SC I decided to dive into some data to see what the actual lifetime of certificates is in practice. Now any selection will be biased to some degree. However taking the Alexa top 1 million crawls seems like a fair selection and should provide insights into the biggest websites out there. https://rullzer.com/2019/04/01/secure-and-easy-2fa-in-nextcloud/ Mon, 01 Apr 2019 00:00:00 +0000 https://rullzer.com/2019/04/01/secure-and-easy-2fa-in-nextcloud/ At Nextcloud we are focused on security and usability. Often these two things conflict. In the last few months we have been working hard to make sure that two-factor authentication is easy to setup and easy to use for all users! Without much further delay. I’m proud to introduce the next step in two-factor authentication the It is really me - Provider. Note: the app is still under heavy development. https://rullzer.com/2018/10/19/two-factor-via-nextcloud-notifications/ Fri, 19 Oct 2018 00:00:00 +0000 https://rullzer.com/2018/10/19/two-factor-via-nextcloud-notifications/ I’m happy to announce a new two-factor provider for your Nextcloud: the Notifications Provider. This provider utilizes your existing logged in devices to grant new devices access to your Nextcloud. Note: the app is still under heavy development. Still we appreciate testing and feedback! The flow is simple. You enable the provider in your personal security settings. Then the next time you log in you can chose to authenticate using a device that is already logged in to your account. https://rullzer.com/2018/10/18/towards-a-stricter-content-security-policy/ Thu, 18 Oct 2018 00:00:00 +0000 https://rullzer.com/2018/10/18/towards-a-stricter-content-security-policy/ A Content Security Policy (CSP) can be used to protect against Cross Site Scripting (XSS) attacks. This is done by having the server tell the browser what resources (executable script, images, etc) can be loaded from where. All this is told to the browser via a header, so if the actual page tries to do something it is not allowed the browser will block it. At Nextcloud we have deployed a CSP for a while now that limited the resources to be loaded mainly to the domain your Nextcloud is running on. https://rullzer.com/2018/09/05/improved-apppasswords-in-nextcloud-14/ Wed, 05 Sep 2018 00:00:00 +0000 https://rullzer.com/2018/09/05/improved-apppasswords-in-nextcloud-14/ The app passwords have been available in Nextcloud for some time now. They were first introduced when we added second factor authentication to Nextcloud, as you still want to have a way to connect your mobile and desktop clients to your account. In the early days this was all manual labor. In the last year we have added support for app passwords to our mobile clients and the desktop client is following soon. https://rullzer.com/2018/01/16/introducing-dropit/ Tue, 16 Jan 2018 00:00:00 +0000 https://rullzer.com/2018/01/16/introducing-dropit/ A few weeks ago I was chatting with Tobias one of the Android engineers at Nextcloud. He mentioned how he oftened wanted to just share a file quickly with somebody or just share some text. Basically your own privately hosted pastebin. This got me thinking about the amount of files that are stored on my Nextcloud that are just sitting there because I wanted to quickly share them with somebody but I forgot to delete them afterwrads. https://rullzer.com/2017/05/29/nextcloud-desktop-client-appimage/ Mon, 29 May 2017 00:00:00 +0000 https://rullzer.com/2017/05/29/nextcloud-desktop-client-appimage/ Already back in October of 2016 probonopd made an AppImage for the Nextcloud Desktop Client. I must admit that back then I did not immediately try it out since I just run the client from source. However, this has changed over the last few weeks as we wanted to start providing binary packages for Linux as well. When I was reading up on AppImage I got more excited. And since there already was a script to generate the AppImage I quickly built my very first AppImage. https://rullzer.com/2016/12/12/nextcloud-11-preview-improvements/ Mon, 12 Dec 2016 00:00:00 +0000 https://rullzer.com/2016/12/12/nextcloud-11-preview-improvements/ If you store images on your Nextcloud there is a big change that you have previews enabled. Previews are used for the tiny thumbnails in the file list but also for scaled down images in gallery for example. Because nobody wants transfer their 30 mega pixel photos all the time. In Nextcloud 11 we have several nice improvements for you regarding previews. Including an shiny new app to pre-generate previews! https://rullzer.com/2016/09/13/nextcloud-supported-php-versions/ Tue, 13 Sep 2016 00:00:00 +0000 https://rullzer.com/2016/09/13/nextcloud-supported-php-versions/ As many of you probably know PHP 7.1 is planned for release at the end of November. As a preparation for this we are already running our test suite against the PHP 7.1 RC1. And we feel confident that Nextcloud 11 will run smoothly on the PHP 7.1 final for all you bleeding-edge sysadmins out there! But if you can’t wait try out the daily. At the same time we are adding PHP 7. https://rullzer.com/2016/09/05/ocs-supported-by-the-appframework/ Mon, 05 Sep 2016 00:00:00 +0000 https://rullzer.com/2016/09/05/ocs-supported-by-the-appframework/ Nextcloud exposes some APIs to the outside works over HTTP. There is of cou rse our webdav endpoint. That, among other things, allows you to retrieve and store your files or update your calendar. Probably our second most used endpoint is the OCS Share API. This is used by a lot of clients that connect to your Nextcloud to share files. As the name suggest this is an OCS (Open-Collaboration-Services) API of which we have a few. https://rullzer.com/2015/09/03/owncloud-is-not-a-backup/ Thu, 03 Sep 2015 00:00:00 +0000 https://rullzer.com/2015/09/03/owncloud-is-not-a-backup/ I see a lot of people are setting up ownCloud these days that do not think about what it really means to do their own data management. A lot of people have ownCloud running on a server somewhere and have the desktop sync client running on their laptop. They think their data is safe because if their laptop gets stolen or crashes the data is still on the server. Or that if the server crashes the data is still on the laptop.