Tighter Security in OwnCloud v9
OwnCloud is a free Web-based app that provides Dropbox-style file hosting. With the release of version 9 on the horizon, it's a good time to take a look at the improved security features.
Storing your data in the cloud is highly convenient, but it does increase the risk of data theft or tampering. Security is an essential feature of any cloud-based storage platform. And, security is a never-ending arms race between developers and crackers.
In the Open Source world, we have a major advantage in that the code is available for everyone to see. This makes it much easier for the community to spot weaknesses and contribute fixes. If two heads are better than one, millions of heads are even better.
Of course, as with any arms race, we can't afford to stand still. So the upcoming release has a number of important improvements in the area of security. The most important one is code signing.
Although many security measures are designed to prevent attackers from corrupting code, there is still a risk that it can happen, so it's important to have an added level of security that can detect and respond to an attack after it has happened. Code signing is such a mechanism.
If attackers manage to gain access to your OwnCloud installation, they could alter the code or configuration files for their own purposes. There's almost no limit to the malicious mischief they could wreak, and often there's no external sign that the code has been corrupted.
Code signing changes that. It uses a cryptographic hash function to create a unique string of symbols that represents the contents of the files. If attackers change any of those files, even by so much as a single character, the string of symbols will be different from the expected string.
As a developer or administrator, you can create a unique string for your code using a private key (that you keep private on your computer). Without the key, attackers are unable to falsify the hash string to trick the code-signing system.
The system checks the security hashes at specific points, such as when you install OwnCloud or when it is updated. If it detects a corruption, it will halt the execution and send you a message immediately.
The same goes for third-party applications. OwnCloud allows users to add applications to extend the basic functionality. If one of those applications contained an infection, it could compromise the entire system, but digital signing ensures that the app hasn't been altered by a third party.
This extra layer of security protects against a wide range of attacks, including the most extreme situation. Imagine if the official app store were hacked. Then attackers could spread their infected code to the entire community with every app that was downloaded. But, code-signing means that the infection would be detected during the installation process. The infected app would be rejected before it could cause any damage.
Code signing is just one of the new features coming to OwnCloud v9.