The bitwarden addon for TOR Browser actually tunnels the access connections to the bitwarden server over the TOR network.
This can be a major problem, depending on where you are self-hosting your bitwarden server!
Consider this: you are self-hosting bitwarden in your home lab and it is running on your own home land line, then the public IP of your home lab is connected to your real life identity. Now if you surf with torbrowser and the bitwarden connection uses the same exit node as your surf traffic, then it is easy to link your surf traffic to your home lab IP and thus to your identity.
What you really want is that the bitwarden traffic uses a different TOR exit node than your surf traffic, our not the tor network at all. Then the bitwarden traffic is indenpendent of your surf traffic. It should be no problem to reveal that you are using a self-hosted bitwarden instance as long as the access cannot be correlated to the surf traffic. Alternatively the bitwarden addon must use a separate TOR circuit with a different exit node than the TOR browser surf traffic.
Any ideas how to achieve that with the current implementation of TOR Browser and the corresponding bitwarden addon?
Or would this require changing the bitwarden addon? If so please let me know and I would place a feature request.
maybe you should wait for a few more replys.
for the time beeing my proposal:
use VPN from client to self hosted infrastructure and use this as jump point into hidden network.
you might be able to change ports or do crazy stuff on the routing table of your local instance prior it goes into the hidden network.
e.g. change port of bitwarden server to other then SSL/HTTP. change it on clients application. make sure only 80 and 443 traffic is using tor network.
maybe Suricata can analyze and reroute bitwarden only traffic before it goes into the onion network.
however I think the way to go for everything from remote client to own hosted stuff shall be via VPN. from there you can continue with hidden services and use a killswitch.
You misunderstood the problem.
The connection to the bitwarden server goes THROUGH the TOR network. That already happens within the TOR browser, no mechanism that is outside of the TOR browser will be able to redirect the bitwarden traffic which is within the TOR tunnel.
None of your tunneling/routing suggestions can work with TORbrowser
Also, I do not think that you may use a .onion address for the bitwarden server, but about that I am not sure. If that would be possible, it would be a solution, as then the bitwarden traffic would not be linked to your home lab public IP.
you misunderstood the solution.
tor implementation in proposed solution is not done within browser. it is done after VPN, so basically on the router
i got what you mean, but that means to use a regular browser instead of torbrowser, while torbrowser is better trimmed towards anonymity. while tor would still hide the IP, the visited servers could still fingerprint a regular browser much better than torbrowser. I believe that it is safer to use torbrowser than an onionrouter with a regular browser.
i think you can use tor browser without the tor functionality.
dont rely too much on technology. apart from html5, java (script) and flash, there is more that identifies you and that is purely user driven.
however do you really require close to 100% anonymity?
I mean will you disclosure governmental secrets?
are you in danger if you reach out to the wrong person?
or rather would you like to get the taste of the onion network and get cheap flights?
This isn’t so much a solution, it’s just avoiding the problem altogether.
A fairly straightforward workaround (albeit less convenient, but it’s Tor so that sort of comes with the territory) would be to use the desktop client for any anonymous browsing. No browser extension does lose you some features, so it’s a trade-off.