Bitwarden Firefox & Edge extension: connecting to the internet?

Hi all, in Firefox and in MS Edge I am using the Bitwarden extension. Both extensions remember my login name, so I only need to provide my password.

My question: when I do not provide my password, are the respective extensions then connecting to Bitwarden-servers over the internet (1) and are they transferring my login name thereby (2)?

Thanks in advance, kind regards Bipp

This part of your question seems self-contradictory, so it is not clear what you’re asking.

But yes, all Bitwarden apps and browser extensions communicate with an internet server via HTTPS. Your login email address is one of the pieces information that is transmitted to the server during the login process.

hi grb, thanks for your kind answer and apologies for my late reply. I will try to clarify:

in my browser the Bitwarden-extension is normally ‘half logged in’: it knows my login name, but I have to give my password to open the vault.

My question is: does the Bitwarden-extension transfer my login name over the internet in this situation that I am ‘half logged in’? Or does the Bitwarden-extension only do that when the vault is opened and/or open?

Background of my question: sometimes I need to use a VPN. I was wondering if the extension could give away privacy-sensitive information about me.

tnx!

Could you clarify what screen you are using to enter your password? Which of the following screens does it look like?

:one:
image

:two:
image

 

FYI, if you’re seeing the first screen, then you are fully logged in, but your vault is locked. If you’re seeing the second screen, then you are fully logged out (even if you had checked the “Remember email” option that pre-fills the username for you on the first page of the login form).

If you are logged out and are logging back in (Screen :two: above), then your email address and hashed master password will be transmitted to the Bitwarden servers for authentication. If you are logged in and are just unlocking your vault (Screen :one: above), then neither your email address nor your master password (or its hash) are transmitted to the Bitwarden servers — the only thing transmitted would be your session token (proof that you’ve previously authenticated).

Hi, thanks! My situation is number 1.
When I am using VPN I do not use Bitwarden, so I understand not even a token is sent.

Thank you for the clarification!
Regards, Bipp

The token is sent to confirm that your login session is still valid. For example, there are times when it is important to deauthorize all logged in Bitwarden apps and extensions (such as when you make a change to the security settings of your account, or you have received notification of a login from a device that is not yours); in addition, login sessions expire automatically after 30 days.

Thus, each logged in Bitwarden app and browser extension communicates with the server when you open Bitwarden, to make sure that the login session is still valid.

If you are not using (unlocking) Bitwarden, then the Bitwarden client app or extension will not send a session token to the server.

If you want to unlock your logged-in Bitwarden app but prevent it from communicating with the cloud server, then simply disconnect your device from the internet before opening the Bitwarden app or browser extension.

thanks once more grb!!

1 Like