undefined | Better HN

0 pointsbee_rider3y ago0 comments

I see a lot of people mentioning bitwarden around here; is their actually a technical reason to believe they are better than Lastpass or any of their competition (have they like open sourced all their stuff?).

There’s very little room for failure and learning in the online password safe field, so I generally assume these companies are in one of two states:

* has unknown bugs waiting to be revealed

* out of business

0 comments

hoistbypetard3y ago

> is their actually a technical reason to believe they are better than Lastpass or any of their competition (have they like open sourced all their stuff?).

You can see their server and client code here: https://github.com/bitwarden

I choose to use their clients unmodified, along with an instance of the server formerly known as "bitwarden_rs" running in my basement as the sync backend. https://github.com/dani-garcia/vaultwarden

I still pay them annually for their "freemium" features even though I prefer not to let them host my data.

fruit20203y ago

Do you expose your server to the internet or is it ok to sync devices only when you’re at home? Is every device a replica, if you lose your server can you redeploy it from the data on your device?

diarrhea3y ago

Not the parent, but I have been hosting a Vaultwarden instance on the public internet for about two years now.

After learning about certificate transparency logs, I moved the app from a raw subdomain behind a secret URL path. Think “hello.domain.com/correcthorsebatterystaple”.

Is it security by obscurity? You bet. Does it work? Yes. I regularly evaluate the JSON logs emitted by Caddy in a pandas script and so far, no foreign party has even hit that endpoint.

It’s like an extra username of sorts you’d have to know. I’ve always been unsure of where to draw the line when it comes to obscurity. People online are viciously against it, but isn’t a password also just obscurity, if you squint your eyes real good? It’s all secrets users would need to know.

All that being said, I’m thinking of hosting it at-home-only as well. Would be a huge win in security and barely any loss in convenience.

2 more replies

hoistbypetard3y ago

I currently have my server at home connected via wireguard to a VPS. On that VPS, I run Caddy and have it reverse proxy back to my server over wireguard.

If I were building it out today I might just use tailscale and be done with it.

I'm not sure about whether every device is a replica of the server. I believe that's the case (given how they behave when the server is offline) but that doesn't figure into my recovery plan.

pch003y ago

> You can see their server and client code here: https://github.com/bitwarden

But in the case of the mobile apps, downloaded from their respective platform's app store, how can you guarantee the code you see on github is the exact same code you're running on your device?

Admittedly this supply-chain-verification is an issue for all mobile app store apps but seems particularly important with something like a password manager.

ionspin3y ago

In a perfect scenario you would be able to use a reproducible build [0], for Android you can actually get Bitwarden from F-Droid [1] which uses those reproducible builds.

For Google play store, there was also that developers needed to sign their apps before releasing to stores, so you knew that it came from developer, but Google removed that when they introduced app bundles. There is still a way to verify if the build is the same as developer provided, but automatic protections that were there are now gone [2]

[0] https://en.wikipedia.org/wiki/Reproducible_builds [1] https://mobileapp.bitwarden.com/fdroid/ [2] https://arstechnica.com/gadgets/2021/07/google-play-dumps-ap...

1 more reply

hoistbypetard3y ago

Short of building the client yourself, I don't believe it's practical to verify that.

I haven't been willing to take it that far yet, though that appeals to me.

eternityforest3y ago

BitWarden is open source with some freemium features. It's what I use at the moment. I believe it has third party network audits.

As far as I know it's fully E2E encrypted, and has never had a data breach.

The only thing I don't like is the lack of SMS based 2FA, although I appreciate their commitment to maximum security by not allowing it .

j / k navigate · click thread line to collapse

0 comments

hoistbypetard3y ago

> is their actually a technical reason to believe they are better than Lastpass or any of their competition (have they like open sourced all their stuff?).

You can see their server and client code here: https://github.com/bitwarden

I choose to use their clients unmodified, along with an instance of the server formerly known as "bitwarden_rs" running in my basement as the sync backend. https://github.com/dani-garcia/vaultwarden

I still pay them annually for their "freemium" features even though I prefer not to let them host my data.

fruit20203y ago

Do you expose your server to the internet or is it ok to sync devices only when you’re at home? Is every device a replica, if you lose your server can you redeploy it from the data on your device?

diarrhea3y ago

Not the parent, but I have been hosting a Vaultwarden instance on the public internet for about two years now.

After learning about certificate transparency logs, I moved the app from a raw subdomain behind a secret URL path. Think “hello.domain.com/correcthorsebatterystaple”.

Is it security by obscurity? You bet. Does it work? Yes. I regularly evaluate the JSON logs emitted by Caddy in a pandas script and so far, no foreign party has even hit that endpoint.

All that being said, I’m thinking of hosting it at-home-only as well. Would be a huge win in security and barely any loss in convenience.

2 more replies

hoistbypetard3y ago

I currently have my server at home connected via wireguard to a VPS. On that VPS, I run Caddy and have it reverse proxy back to my server over wireguard.

If I were building it out today I might just use tailscale and be done with it.

I'm not sure about whether every device is a replica of the server. I believe that's the case (given how they behave when the server is offline) but that doesn't figure into my recovery plan.

pch003y ago

> You can see their server and client code here: https://github.com/bitwarden

But in the case of the mobile apps, downloaded from their respective platform's app store, how can you guarantee the code you see on github is the exact same code you're running on your device?

Admittedly this supply-chain-verification is an issue for all mobile app store apps but seems particularly important with something like a password manager.

ionspin3y ago

In a perfect scenario you would be able to use a reproducible build [0], for Android you can actually get Bitwarden from F-Droid [1] which uses those reproducible builds.

[0] https://en.wikipedia.org/wiki/Reproducible_builds [1] https://mobileapp.bitwarden.com/fdroid/ [2] https://arstechnica.com/gadgets/2021/07/google-play-dumps-ap...

1 more reply

hoistbypetard3y ago

Short of building the client yourself, I don't believe it's practical to verify that.

I haven't been willing to take it that far yet, though that appeals to me.

eternityforest3y ago

BitWarden is open source with some freemium features. It's what I use at the moment. I believe it has third party network audits.

As far as I know it's fully E2E encrypted, and has never had a data breach.

The only thing I don't like is the lack of SMS based 2FA, although I appreciate their commitment to maximum security by not allowing it .

j / k navigate · click thread line to collapse