search

tijder / SmsMatrix

A simple SMS <--> Matrix bridge.
https://matrix.to/#/#smsmatrix:matrix.org
GNU General Public License v3.0
213 stars 37 forks source link

Start bridging SMS content from new contacts only after user confirmation #59

Open MurzNN opened 5 years ago

MurzNN commented 5 years ago

Many services sends verification codes, passwords and other confidential info to phone, that not good to share via Matrix bridge. But if we totally ignore them, this was not so good, because user will not informed that new sms is received and unbridged.

For solve this problem, will be good to implement mode for bridge sms from new contacts only after user confirmation.

So, SmsMatrix must handle list of whitelisted/blacklisted contacts and bridge all sms from them normally.

But when received sms from new contact - SmsMatrix bot will write in some "Status" room message to user: "Received new sms from {phone_number} contact. Allow bridge it to Matrix? [yes/no]".

And bridge sms content only after receiving yes answer.

What do you think about this idea?

mvgorcum commented 5 years ago

Adding the extra confirmation step sounds like something that would decrease the usability somewhat. Maybe we could add a filter for texts containing confirmation codes that won't be sent over the bridge.

On the other hand: Since I run my own server, I actually like it that I get met 2FA texts on matrix via the bridge.

MurzNN commented 5 years ago

Not all regular Matrix users have own private Matrix homeservers. Automatically bridging all sms to other Matrix server will create large security hole, so each admin of Matrix server can get access to message text (in database), eg, telegram account login confirmation code, bank account one-time password, etc. Create an universal filter, that detect all confirmation codes for any service, is not possible. So start bridging sms text from new contacts only after confirmation is better solution, that nothing. This may be optional.

MurzNN commented 5 years ago

Other solution for described security problem is implementing e2ee, here is feature request https://github.com/tijder/SmsMatrix/issues/26

mvgorcum commented 5 years ago

the e2ee request was sent for this reason, indeed.

As for filters: I would argue for a user-configurable filter list.

Gredin67 commented 4 years ago

I proposed white/black listing some time ago #18

jo-so commented 4 years ago

Or add an option to the app: »automatic open matrix room when message arrives«