Currently some operations, e.g., imports, require us to log into the web vault at vault.bitwarden.com. So an intruder attacking the server could steal our password or our private data in decrypted form.
For greater security, after we have logged into our local instance of Bitwarden, it should be possible to do all operations without ever allowing the server to have access to our password or our private data in decrypted form.
For even greater security, an option could be added that, if set, would completely prohibit all web vault logins, and only allow logins into a local instance of Bitwarden. Logins into the server would then be used only for less security-critical activities such as billing.
No decrypted data is ever stored on the server under any circumstances:
Using the web vault is no exception to this.
We’re assuming that the server has been attacked by an intruder.
Ah, I might be misunderstanding your first post, then.
You’re concerned that an attacker modifies the webpage/scripts of the web vault to compromise your credentials by, for example, sending your plaintext credentials to an attacker-controlled server.
The concern is less that the Bitwarden server gets access to decrypted data and more that an attacker can modify the webpage sent to your browser to do whatever they want.
No matter what, I certainly support having feature parity across all platforms, both for security and convenience.
A simple solution that I can think of right now could be to have the local Bitwarden instance include its own copy of the web vault. Then, instead of loading the webpage sent from the server, have the local copy loaded, thus throwing away any potentially compromised code.
I’m sure @kspearrin chuckles every time one of us users proposes a “simple” solution. But yes, something like that would work.
Hehe, I meant more that it is simple in concept, rather than implementation.
I don’t believe that there should be huge technical limitations to prevent doing something like that, however.