Privacy

48713 readers

954 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

377

"The Quiet Renovation at Bitwarden" (it isn't good) (blog.ppb1701.com)

submitted 3 days ago by RotatingParts@lemmy.ml to c/privacy@lemmy.ml

132 comments fedilink hide all child comments

If you are interested in privacy you are probably interested in password storage ... plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.

you are viewing a single comment's thread
view the rest of the comments

[–] dogs0n@sh.itjust.works 1 points 2 days ago (1 children)

That's a fair point, I was mostly pointing out in the original comment that VPNs are an option that stops your password manager being exposed to the internet (though if their NextCloud IS exposed to the internet and is syncing their password db, then there is not much difference).

Plus you can tunnel traffic that needs to go to your VPS through the VPN, leaving all other traffic untouched (ie not tunneled), if you are worried about leaving it connected by accident. This would be max convenience.

[–] AHemlocksLie@lemmy.zip 0 points 2 days ago (1 children)

Compromising Vaultwarden provides an opportunity to inject malicious JavaScript and steal the database password when it's opened. NextCloud can never leak any info about how I open my password database.

[–] dogs0n@sh.itjust.works 2 points 2 days ago* (last edited 2 days ago) (1 children)

Any password manager could be comprimised. A bug could even be installed on your system or malware. What's the difference?

NextCloud doesn't know how you open the password db, but KeePass (for example) does, so the master pass comprimise would be with that.

Specifically the syncing part being done with any tool, doesn't matter.

Who or how are you thinking Vaulwarden is being comprimised?

[–] AHemlocksLie@lemmy.zip 0 points 2 days ago (1 children)

Sure, any manager could be compromised, but no client that handles my password database in any way connects to the internet, and all of them come from either signed Linux packages or signed Android apps. If Vaultwarden has a security vulnerability, you can steal the key and the database. If NextCloud is compromised, you can steal the database but not the key. To compromise the password manager client would require either stealing the publishing keys or getting the original author to publish a malicious version.

[–] dogs0n@sh.itjust.works 1 points 2 days ago (1 children)

I see your point, but if your server can only be accessed through a VPN, I think the risk is mitigated. Maybe I'm being naive.

[–] AHemlocksLie@lemmy.zip 1 points 2 days ago

Yeah, that would largely mitigate the risk, but this whole discussion started because I personally didn't want to do that.