Comment on Self-hosting in 2025 isn't about privacy anymore - it's about building resistance infrastructure
Prior_Industry@lemmy.world 1 day agoThe only concern I have seen written is if someone altered how the bitwarden client / extension itself works to expose / extract your vault. Not sure how feasible that would be.
Appoxo@lemmy.dbzer0.com 1 day ago
FYI as my former comment hasnt federated yet: I delete my comment because I suspected my edits wouldnt go through fast enough for everyone to see.
So i deleted it and reposted as a new comment: lemmy.dbzer0.com/comment/23665757
Anyway: Could you elaborate what you mean exactly?
Prior_Industry@lemmy.world 1 day ago
So say for example that someone manages to get into a position (or the Bitwarden Devs) to alter the code for the Bitwarden Chrome extension that is then deployed from their update service to your device. You then login to your vault so the items on it are then readable. At that point your vault in theory would be compromised.
I just want to say, this was something I saw another user put up as a risk, so I don’t know if that’s actually feasible to achieve.
Even so, I still use Bitwarden. If you’re getting that deep into the weeds, unless you are writing all the code yourself or interrogating the code others put up before updating your system this sort of thing would always appear to be a risk.
Appoxo@lemmy.dbzer0.com 1 day ago
You basically mean a supply-chain attack?
I mean…Sure that’s a valid concern but on the other hand, Bitwarden is OSS, the client and AFAIK the server components.
So the threat looks to me identical for Bitwarden as it is for Keepass.
But it’s probably easier to infiltrate the actual user system and wait for the unlock of the vault to happen for exfiltratration than just stealing the vault with argon2id salted hashes and trying to crack that open.
It may be of concern for a state/big corp person of interest but you and me? Probably less so.
I’ll continue paying for Bitwarden.
Not of interest having to mess with passsword safekeeping.
Same goes for email.
Yes, I could host the server at home and use an SMTP relay for sending emails from a reputable emailing IP but the email provider I currently use at the price is okay enough for me to not really care. So I don’t :p