diff options
| author | Jos Poortvliet <jospoortvliet@gmail.com> | 2018-05-10 13:11:21 +0300 |
|---|---|---|
| committer | Jos Poortvliet <jos@opensuse.org> | 2018-05-10 13:14:00 +0300 |
| commit | 5fe97d508512be7b708a82f5c5adaa020f54cccb (patch) | |
| tree | 54f74ad0b36644f36d60fa85af37b295ce7dc85e /page-threat-model.php | |
| parent | d3b788608c7e15766c2f0275267283304f28a255 (diff) | |
more clarity and limitations on IP brute force protection
Signed-off-by: Jos Poortvliet <jospoortvliet@gmail.com>
Diffstat (limited to 'page-threat-model.php')
| -rw-r--r-- | page-threat-model.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/page-threat-model.php b/page-threat-model.php index 6d90bd18..84ac0313 100644 --- a/page-threat-model.php +++ b/page-threat-model.php @@ -41,7 +41,7 @@ in those disabled features as not bounty-worthy.</p> <p>We do not consider user enumeration a security risk as for convenience and for features such as Server-to-Server sharing this is an expected behaviour.</p> <h3>Brute force of credentials</h3> -<p>Nextcloud 12 introduced brute force protection. If you find a way around it, it would qualify as a security issue.</p> +<p>Nextcloud 12 introduced brute force protection. If you find a way in which it is broken, it could qualify as a security issue. Of course we're aware that using TOR or similar solutions can be used to circumvent IP address based brute force protection. It is also not implemented in all endpoints, but should not allow guessing passwords at great speed from a single IP address.</p> <h3>Server-side request forgery</h3> <p>Nextcloud ships with multiple features that perform sending requests to other hosts, we do consider this accepted behaviour and advocate people to deploy Nextcloud into its own seggregated network segment.</p> |