@indolering What’s the risk of having alternative names on certificate? I understand basics (maybe) but I find it quite interesting, so I’d appreciate if you could share few more details.
Would some of those domains effectively be able to spoof/fake to be bitwarden? Or hijack wildcard domain and try to be batman.bitwarden.com for example?
This could only be risky if they make it to steal the certificate or they are able to tell Cloudflare to route the traffic to their server, which probably not happening.
But the basic idea to pipe your entire passwordsafe traffic through Cloudflare doesn’t make me happy. I mean Bitwarden is not the first passwordsafe doing this, but it doesn’t feel very perfect.
On the other hand, the way Bitwarden is built, prevents Cloudflare from getting any secret and this way everyone’s vault is safe.
Cloudflare has ‘okay’ stamp from some nice guys, like Troy Hunt, and it didn’t feel like there’s any sort of paid promotion going on. Not educated/qualified enough, but it’s not making my skin crawl (from user point of view). Thanks for explanation, makes more sense from the exploit point of view.
Even if there’s no immediate risk, or risk is extremely small, it’s probably ‘simply’ professional to have own cert. HSTS is slowly getting boring, I’m pretty sure in few years time it will be bad to not HSTS, just like it’s bad to not HTTPS in 2018 (and good).
Wrong. This won’t happen since bitwarden.com has HTTP Redirections enabled, the HSTS header is set and it even is in the HSTS preload list.
So even the very first visit to bitwarden.com with all current browsers will always be over HTTPS.
Okay, so HSTS has been enabled since I first posted? The score appears to have improved 6 days after the original post and has gotten better since then.
Yet, shared certificates provided by Cloudflare continue to be used. I don’t think it’s the best idea given the nature of Bitwarden as a secure service.
It’s pretty meh: an attacker would need to get you to connect to one of those domains AND spoof the DNS of the host machine. Not enabling strict HTTPS enforcement is the only thing they really needed to worry about and that was fixed.