Discussion: Quick but (rather) secure sharing

Server
1

I do not get the concept of the guest app.
Do I understand it correctly that I can share a file to an "email-address" and this email-address then can register an account, create a password and access the shared file?

Secure Sharing with arbitrary users

I would like to share a file with an arbitrary user. Imagine a user, whom I see only once. It is not necessarily a recurring user but someone, who might only access the file once or maybe only every now and then. seldom.

In my opinion sharing via email is not safe. So I would like to share the link/password/access via a 2nd channel. I could give him a call (also not safe, since all calls are recorded) or send him an SMS (also not safe, since ss7 sucks).
Anyways imho using a phone or an SMS is still a bit securer than an email. (If I want to do high security, I will do public key crypto).

How would I do this?

I imagine a simple way to share a file like:

  • share the file to an email address and
  • send the password for sharing e.g. via SMS.

This way I can assure that a simple evesdropper on the network or the exchange administrator is only able to see the password protected link and only the user can access this link.

Also my workflow when sharing stays relatively simple, since I only would have to enter the mobile phone number in the owncloud sharing dialog and the email address and OC would contact the SMS gateway to have the SMS sent.

What do you think?

2

Thats correct.

After that is established you can then share further files/folders with a user.

So the discussion is about sending the original create link to the user, of course this can be done by SMS. Requires: SMS Gateway and the ability to enter the phone number and a config option for the admin to allow the one or the other or both.
The current app function was very much created based on customer feedback. But I can very much see the additional security gain.

Recommend to open it as FR in the guest github or start a PR. But we also need to consider the SMS gateway interface. I know of several people who wanted to do one, but it doesn't exist yet, IMHO. (Pointers welcome otherwise).

3

This could be done modular with a Notification Class.

This could either be an SMTP gateway or any kind of SMS gateway.

In privacyIDEA we implemented this in a rather modular way. SMS can be sent via an HTTP SMS gateway, via an SMTP SMS Gateway or SMS via sipgate...
But it could be even more modular: Not bound to SMS:

  • notifiy via email
  • notify via SMS
    • HTTP
    • Email
    • Sipgate
  • Notify via whatapp API
  • Signal

...you name it.