in an enterprise context where CAs are deployed by the way of policies
when nation states or hackers use rogue CAs trusted by browsers (many examples in the past few years)
If such an MITM has had access to the master encryption key once, they can access the new vault data every time it transits over a network they control without the device itself being compromised.
@kspearrin No, the report is far from being as assertive as you are “An item has been added to the product back log to re-evaluate the current design to see if adding a key rotation function to Bitwarden would be feasible”
For me that means “maybe”, plus the whole assessment is worded in such a way as to downplay the impact of the issue.
But if you say that this will be fixed and you’re working on it, then that’s a different story.
This is fantastic news! When the key rotation is occurring, is the decrypted vault data in memory, or file too? Trying to determine what concerns to have about either data loss or attack (like hypervisor cpu side channel if on a self-hosted but multi-tenant hypervisor).