Firefox is now 2023.2.1 
2 Likes
On Win11 x64 with the latest firefox, I first tried using ‘login with another device’ which resulted in a blank dialog box, and no ability to access any data even from a right-click on the extension.
Uninstalling the addon, then reinstalling the addon, logging in with the master password made things work correctly.
It now also allows ‘login with another device’ without issue.
Suggest anyone logging in on the first occasion if using argon2id, to first decrypt with the master password.
Please, it is very important to develop other encryption options like AES-GCM
Would love xChaCha20 like NordPass.
Will BitWarden be implementing xChaCha20 in future? @bw-admin
1 Like
I would be surprised.
When I see how hard it was to get them implement Argon. (which adds significant benefits)
The gain of switching to chacha for small IO like passwords will be negligible IMHO.
Dear community,
I have found several articles on the Internet that make me question the security of the AES-CBC algorithm. Wouldn’t it be better to use the AES-GCM or XChaCha20 algorithm, to be sure to use a currently inviolable algorithm?
- The dangers of AES-CBC
- Bit Flipping Attack on CBC Mode
- Padding oracles and the decline of CBC-mode cipher suites
- Is AES-CBC mode not secure against chosen cipher-text attacks even if the IV is not predictable?
- Why is using a Non-Random IV with CBC Mode a vulnerability?
- AES in CBC Mode Is totally unsecure if no defense is provided for padding oracle attack, right?
- Timing vulnerabilities with CBC-mode symmetric decryption using padding
- AES-CBC bit flipping Attack
The attacks you list either rely on non random IVs (not the case in bitwarden, they are random) or are attacking the malleability of the cipher, which only works if they are not integrity protected. These days bitwarden only uses AES cbc with hmac sha256 integrity protection, so these attacks don’t work either. AES CBC is fine if used correctly and horribly insecure when used incorrectly. So far no vulnerability was found in Bitwarden’s use. By the way AES gcm also has attacks when not used in a very specific way (Why AES-GCM Sucks - Dhole Moments). Chacha20poly1305 is nice, but afaik would require another webassembly module, and given the lack of attacks against aes256cbc-hmacsha256 it’s not too pressing imo.
The XChaCha20 algorithm could be a game changer for Bitwarden and make it one of the most secure password managers, perhaps even from quantum attacks. I understand that the aes256cbc-hmacsha256 solution is a viable solution. Does using AES-CBC with Argon2id further improve the level of security?
Not necessarily. Against symmetric ciphers, such as both AES (in any chaining mode) and ChaCha20, the best published attack (that I know of) is grovers algorithm. And even that doesn’t break the security, it only slightly weakens it. So much so that NIST still considers AES-128 secure for decades. I.e the quantum threat to the symmetric crypto in Bitwarden is just not there (at least with current algorithms).
On the other hand asymmetric crypto (be it RSA or ed25519) could be broken instantly, if quantum computers were to scale to be able to run f.e Shor’s algorithm. While these are not used for your main vault, RSA is used in a few places in Bitwarden, namely: Passwordless login (your master key is transported, encrypted with the requesting device’s public key), Organizations (the organizations symmetric key is encrypted with member’s public keys for each member).
If the asymmetric crypto were to be broken, should an attacker have a full copy of the database (how they would get this is another matter of course) they would instantly gain access to all organization credentials. If the attacker had access to passwordless login requests, even old ones, they would instantly get access to the acccount’s master password hash and master key, which they could use to retreive the new vault, and decrypt it, all without breaking AES.
Now while this sounds scary, quantum computers are just not there yet. Heck, even most protocols, such as TLS (which the entire web runs on) still mostly rely on RSA or ED25519. These would also instantly be broken. When the newer quantum resistant asymmetric crypto schemes get standardized and added to common crypto libraries, at that point I think Bitwarden could migrate to these schemes. (Now is definitely not the time as these new crypto schemes have not been sufficiently tested, such that migrating to them could open your vault to new attack vectors).
Does using AES-CBC with Argon2id further improve the level of security?
Using argon2id instead of PBKDF2 does not help against quantum attacks. It does help making it harder to conduct an offline brute-force on GPUs/ASICs in case your encrypted vault somehow got leaked.
2 Likes
Closing this thread to free up votes as Argon2 support has now been implemented.
For additional encryption suggestions, please break out into specific posts for voting and discussion.
2 Likes