HTTPS Improvements

Your HTTPS situation leaves much to be desired.

You appear to be using CloudFlare’s shared TLS certificate option, as there are a few dozen sites listed in the alternate names section:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

  • Pay the $5 and get a dedicated certificate.
  • Enable TLS 1.3.
  • Enable HSTS preloading.
  • HTTPS enforcement for all subdomains.

Eventually, you should get your own certificate and enable key pinning and SNI error alerts.

Or use
its is free and well known.
And they recently added wildcard certificates too !

1 Like

@indolering What’s the risk of having alternative names on certificate? I understand basics (maybe) but I find it quite interesting, so I’d appreciate if you could share few more details.

Would some of those domains effectively be able to spoof/fake to be bitwarden? Or hijack wildcard domain and try to be for example?

1 Like

This could only be risky if they make it to steal the certificate or they are able to tell Cloudflare to route the traffic to their server, which probably not happening.

But the basic idea to pipe your entire passwordsafe traffic through Cloudflare doesn’t make me happy. I mean Bitwarden is not the first passwordsafe doing this, but it doesn’t feel very perfect.

On the other hand, the way Bitwarden is built, prevents Cloudflare from getting any secret and this way everyone’s vault is safe.

But yes, HSTS preloading would be nice.


Cloudflare has ‘okay’ stamp from some nice guys, like Troy Hunt, and it didn’t feel like there’s any sort of paid promotion going on. Not educated/qualified enough, but it’s not making my skin crawl (from user point of view). Thanks for explanation, makes more sense from the exploit point of view. :smile:

Even if there’s no immediate risk, or risk is extremely small, it’s probably ‘simply’ professional to have own cert. HSTS is slowly getting boring, I’m pretty sure in few years time it will be bad to not HSTS, just like it’s bad to not HTTPS in 2018 (and good).

1 Like

We use Cloudflare, but we use Full/Strict SSL options, which involves our own SSL certs. See


I disagree. The important site is and not and there the score is great. Many helpful headers have been set and even a CSP is enforced.

It’s still a draft. But it shouldn’t take much longer since there was already the “Last Call” with version 24 in February.

HPKP is basically considered dead and many people advise against implementing it.


You have to have the whole domain protected:

  1. User types in
  2. Browser attempts to load
  3. MITM attacker … wins.

Wrong. This won’t happen since has HTTP Redirections enabled, the HSTS header is set and it even is in the HSTS preload list.
So even the very first visit to with all current browsers will always be over HTTPS.

Okay, so HSTS has been enabled since I first posted? The score appears to have improved 6 days after the original post and has gotten better since then.

Yet, shared certificates provided by Cloudflare continue to be used. I don’t think it’s the best idea given the nature of Bitwarden as a secure service.

1 Like

It’s pretty meh: an attacker would need to get you to connect to one of those domains AND spoof the DNS of the host machine. Not enabling strict HTTPS enforcement is the only thing they really needed to worry about and that was fixed.