Hacker News new | past | comments | ask | show | jobs | submit login

Last time I checked Bitwarden was not encrypting data on the client. Did that change?

Also, OSS does not mean secure. Without audits from security experts, I can’t trust it.

Bitwarden is objectivity less secure than 1Password or Keepass actually, at the very least because it doesn’t have a desktop application.




> Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

From the linked page (https://bitwarden.com/)


Bitwarden has a desktop client.

If you are hosting it on your private server does it change your outlook on its security?


No, it’s worse.


Very thorough argument.


Matches the question, but should be obvious why.

I do not have the inclination or resources to secure and keep my server up to date, unless we are talking about a periodic "apt upgrade" that I could configure to run automatically, but no more than that. And at the very least I know how to reasonably secure a Linux server, at least initially.

If running your own server gives you peace of mind in terms of security, then read more about how security works and the threat model you'll face. Just to give an obvious example ... running your own Wordpress is one of the worst thing you can do on your own server, putting your whole server at risk, not just your website.


> running your own Wordpress is one of the worst thing you can do on your own server, putting your whole server at risk, not just your website.

My personal experience says this is 100% true.

Even when I've managed to stay on top of WP updates my server is invariably targeted more often by automated attacks more often than others that are hosting static sites and other frameworks. I strongly suspect that attackers maintain lists of server addresses that host WordPress sites and use that to make assumptions about their running services. If they know that it's a "self-hosted" webserver, even if they can't break WordPress there's a very good chance that some other unmatched vulnerability exists.


> If running your own server gives you peace of mind in terms of security, then read more about how security works and the threat model you'll face.

I don't know about this argument. On the one hand you can configure something as secure as you like/can, on the other hand you have to trust other people to do their best. If you don't trust them with your passwords, you would also not trust them to do their best.

If you host yourself a paranoid me would host their instance accessible only inside a stable VPN xor by tunneling a port via SSH.


Your right in the aspect that OSS does not mean secure... don't agree with the down-votes here.

OSS can often mean less secure. Unless you have the capabilities to fully audit the software you shouldn't fully trust OSS... unless it has an external audit.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: