![]() When logging in, the following HTTP POST is made to Bitwarden’s server: client_id: web There appears to be no distinction between the authentication password and encryption password. Here are my findings: Encryption password sent over the wire If you find anything wrong with this blog post, please contact me at ferry DOT boender (AT) gmaildotcom. I’m not a security researcher, just a paranoid enthusiast.This security review is not exhaustive, I only took about a few minutes to review various things. ![]() I only looked at the cloud hosted version.Some notes on the scope of this blog post and disclaimers: The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data.īitwarden offers both a cloud hosted and on-premise version. ![]() I’ll update this post with more details as soon possible.īitwarden is an open source online password manager: Mitigations for other issues were already in place, although I haven’t had time to confirm this yet. Some issues (unnecessary loading of resources from CDNs and disclosure of my email address to a third-party without confirmation) have already been resolved. Update: Kyle Spearrin, the lead developer of Bitwarden, contacted me regarding this blog post. Passbolt is slightly less easier to use, but for team-based password sharing, I highly recommend it. The Open Source version does not support 2FA, however it already requires the private key and a password (with which the private key is encrypted). The private key never leaves your client, as far as I can tell. (yada, yada, CPRNG) This architecture is also more resilient against server-side breaches, as an attacker that gains access to the server cannot inject code into the javascript, given that it’s a separate plugin. This (apparently) makes the crypto safer than plain Javascript client-side encryption. Secrets are end-to-end encrypted, and a separate browser plugin is used for the client-side encryption. Passbolt uses plain, old, trusted GPG with asymmetric public / private key encryption to encrypt and share secrets. Without going into a full review, its security looks impressive. I’ve reviewed another Open Source personal and team password manager called Passbolt. Update : (Disclaimer: I’m not a cryptographer, and not affiliated or sponsored by Passbolt in any way, shape or form).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |