Let’s say I use Bitwarden for my bank website and mobile app.
I log in once and get prompted to trust and store it’s website or mobile app code signing certificate. Now, each subsequent login, Bitwarden compares signatures to see if the trusted cert is the same and will not autofill on untrusted sites and apps as well as prompt the user of signature mismatches or unencrypted logins.
I’ve never heard of a password manager doing a sort of trust verification like this so it’s either not possible or hasn’t been considered.
I hope that it is ok with you that I turned this into a feature request.
Of course! I hoped I had found the place to do so. Thank you. Did it sound like a practical concept because I’d never heard of a password manager that could do any sort of verification?
I imagined it would help prevent phishing attacks. It’s like we have to verify who we are so I wondered if we could verify the identity of the system to which we authenticate.
There are some problems with that request. First, certificates change and that happens rather often. Bitwarden‘s cert changes every 60 days, rendering every previously stored certificate in your vault invalid.
It would be easier if you‘d just store the public key of the domain you try to access. Public keys are usually less temporary but even then, they can change anytime the service provider/website owner wants to change them.