[Bug]: TLS MITM-compromise UX-response needs URGENT fix

[cluck]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

The Nextcloud desktop client keeps popping up a "Untrusted Certificate" dialog with an option to "Trust this certificate anyway" on MITM attacks on the TLS connection, usually when the user expects it the least (that is, the user is not actively configuring a connection). A fix needs to be implemented in a timely manner (which is the "new" aspect of this report).

The bugtracker keeps accumulating complaints about this situation (with good analysis, e.g. #5396). Surprisingly, these issues remain stuck in "needs triage", while none of them mention any roadblock or pending clarification.

The current UX is very detrimental to security as these popups are frequently triggered on Public WiFi and visited corporate networks where untrusted MITM-Proxies hijack all sorts of connections. People tend to click the Nextcloud warning away, just to see it re-appear shortly after (e.g. when they roamed to a different hotspot). Being annoyed by the interruption (and from not being able to "solve" the issue anyway), a preferred reaction is to tick the "trust this certificate anyway". At this point the client will happily leak the authentication credentials to whatever MITM-proxy is presenting itself; possibly revealing cleartext credentials, Kerberos tickets or client tokens.

As an Admin, I can't even contain the risk by moving the Nextcloud server into a VPN, as this would just create more popups on the client while the VPN is unavailable.

The current UX is just insecure by design. This is in stark contrast with anything mentioned at https://nextcloud.com/secure/. I can not emphasize enough how this needs urgent development.

#6896 from Jul 9, 2024 (when behind a captive portal with no internet access dozens of popups appear (untrusted certificates))
#6517 from Mar 7, 2024 (Connection error notifications keep popping up when offline)
#6388 from Jan 28, 2024 (Client repeatedly nags about unreliable certificate)
#5967 from Aug 13, 2023 (When remote certificate is invalid, client refuses to cancel attempts for connection)
#5396 from Feb 5, 2023 (Invalid SSL cert pops warning every minute, encouraging unsafe choice)
#3347 from May 21, 2021 (Many popups asking whether to trust a server certificate)
#2702 from Dec 13, 2020 (Option (in client) to automatically reject self signed certificates?)

Steps to reproduce

See linked issues.

Expected behavior

We have a necessity to gain two configuration options in nextcloud.cfg to:

• disable the possibility to "trust this certificate anyway"
• silence these popups completely: just have the client silently retry the connection until the certificate turns valid/trusted again

Which files are affected by this bug

src/

Operating system

any

Which version of the operating system you are running.

any

Package

Distro package manager

Nextcloud Server version

29.0.6

Nextcloud Desktop Client version

3.13.3

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 3.4.2 to 3.4.4)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

Are you using an external user-backend?

• Default internal user-backend
• LDAP/ Active Directory
• SSO - SAML
• Other

Nextcloud Server logs

No response

Additional info

No response