undefined | Better HN

0 pointsRadiozRadioz3y ago0 comments

So is LastPass, but we users changed our passwords in December anyway as a precaution. Bitwarden is still a central entity that needs to be trusted to manage the zero knowledge platform with competence, e.g. not storing unencrypted metadata in a backup.

0 comments

panarky3y ago

Because LastPass is a bad actor that falsely claimed to have a "zero knowledge architecture" that couldn't be compromised if they were hacked, and kept their code secret so nobody could independently assess their implementation, and then proceeded to store critical user data unencrypted, which was promptly hacked and leaked, that means the risks must be identical with Bitwarden, which publishes client and server code in public, so anyone can inspect their implementation.

LelouBil3y ago

They cannot store unencrypted data because the whole vault is encrypted client side.

And thats verifiable because their clients are open source.

RadiozRadiozOP3y ago

That specific fault applied to LastPass, I used it as an example of a flaw in a system advertised as zero knowledge, to demonstrate that not all systems are created equal. It is true that BitWarden's Open Source nature helps prevent silly things like that.

You raise a good point that their open source clients are _verifiable_, but they're not often _verified_. I'm certain that you verify the checksums of all your updates or exclusively build from source, but the distribution channels on most platforms encourage users to trust updates from BitWarden inc. If those channels are compromised, most users are one unchecked automatic Play Store update away from a problem.

Not disagreeing, just noting that Open Source is not a silver bullet given BitWarden's default architecture is centralised web service with centralised client distribution channels.

j / k navigate · click thread line to collapse