Allow user to trust self-signed certificates within mobile app, as Nextcloud and other apps allow

Feature name

Feature function

  • What will this feature do differently?

    • The current workflow for using self-signed certificates with Bitwarden requires installing a CA certificate into the device’s trusted certificate store. This requirement is dangerous, at least on Android - much more so than implementing a feature to trust self-signed certificates. Installing a CA certificate can allow the Certificate Authority to tamper with all of the device’s traffic under certain conditions, when we only want to claim authority over the self-hosted Bitwarden server. With this feature, the user could trust this one single certificate from within Bitwarden, and just for Bitwarden, rather than needing to override the entire certificate system by creating your own authority. This limits the scope of damage if the CA key were leaked and - indeed - preventing the need for creating your own CA in the first place, thus avoiding that problem entirely.
  • What benefits will this feature bring?

    • For reasons specified above, not needing to create and trust your own CA improves security.

    • This would allow users to connect directly via IP address rather than DNS, which is useful for users on an isolated internal network/VPN who do not want to - or can’t - run their own DNS server or edit their hosts file in order to point to internal IP addresses for hosts that are only publicly exposed in order to receive a legitimate HTTPS certificate via Let’s Encrypt or the like.

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?

    • I use the Wireguard app on my Android phone not only to access my internal network at home, but also - via a third-party VPN provider - to access the internet. So, I have peers for my individual servers and devices, and one separate default route peer. I do not want my connectivity to be dependent on my own servers, so I use public DNS resolvers, and when I access internal services, I do so by IPv6 address. The Wireguard VPN enforces the routes to these addresses, which helps to avoid MitM attacks, even if my internal network cannot be reached. This is potentially more secure than relying on DNS, because I know exactly where my traffic is going, and I do not need to be dependent on a locally-controlled DNS server. Unfortunately, since my phone is not rooted and Android does not support chaining VPNs, I cannot edit the hosts file or even simulate this functionality.

    • For the most part, my setup works just fine; apps like Nextcloud allow me to trust the self-signed certificate manually, and Fennec (Firefox) allows me to Accept the issue and continue. Again, this is not a problem because the remote server identity is cryptographically guaranteed by Wireguard, which is configured as always-on.

  • Are there any references to this feature or function on other platforms that may be helpful?

    • Nextcloud allows permanently trusting certificates individually (until expiration). This is the ideal behavior, in my opinion.

    • FairEmail allows permanently trusting certificates individually (until expiration).

    • Fennec (Firefox) allows one-time overrides for certificates not validated by a CA.

      • On a PC, you can do so permanently, without creating a CA.
    • As with Firefox, with Chromium-based browsers, you can allow one-time overrides for certificates not validated by a CA.

      • On a PC, you can do so permanently, without creating a CA.