undefined | Better HN

0 pointsshakna5y ago0 comments

> I'm under the impression that the "encrypt master key with the receiver's public key" step is done on-client

However, what would prevent them sending two public keys, one for your contact, and one for someone else? Or sending the wrong public key?

How is the key exchange itself verified other than "Bitwarden user"?

Those questions aren't answered.

0 comments

warkdarrior5y ago

They are answered right in the help article: https://bitwarden.com/help/article/emergency-access/#confirm...

"To ensure the integrity of your encryption keys, verify the displayed fingerprint phrase with the grantee before completing confirmation."

shaknaOP5y ago

So keys aren't verified at all. That seems like something that needs more than a single sentence that comes _after_ they explain the confirmation process.

j / k navigate · click thread line to collapse