Is it safe to use the browser plug-in (extension) or Web Vault on public Wi-Fi?

This is really 2 questions, but they are so similar, I’ll roll it into one: Is it safe to log into the bitwarden browser plug-in (extension) or Web Vault when on public Wi-Fi?

1 Like

As far as i know Bitwarden is only accessible over https. That would mean it’s always encrypted. Therefor it should be save.
On the other hand, every open WiFi could be a fishing attempt. So you probably don’t want to use any password over an open WiFi.

Is that a contradiction? You’re saying that since every open WiFi could be a phishing attempt, you probably don’t want to use any password (presumably even over HTTPS). But at the same time, it’s okay to access bitwarden?

Theoretically, you are safe using https in an open WiFi.
The problem with open WiFis is, that without authentification you can’t be sure, that you are not just connected to a phishing accesspoint.

So, it is secure as concept, but never secure in pratice. I would not use open WiFi for more than a google search.

All according to my knowlege. I’m an IT guy, but no expert on security.

It reminds me of what Albert Einstein once said:

“In theory, theory and practice are the same. In practice, they are not.”

Hopefully @kspearrin or a security expert can add their conclusions.

1 Like

Network engineer here… The answer IMO is no. It’s not safe. I would only access it over a VPN. Trust no open WiFi. This goes for practically anything you do on open WiFi.

There are several good VPN solutions out there which run on PCs or mobile at a reasonable price, assuming your personal data and security are worth it.

1 Like

Hi dlyft. Thank you for your feedback.

What in particular would make open WiFi unsafe to use if operating completely over HTTPS?

Mainly because you have no guarantee that the WAP (wifi access point) you connect to is legitimate. Also, can you say for 100% certainty that ALL traffic coming from your device is encrypted? In the context of BitWarden specifically, I simply don’t want to take the chance that I end up on a rogue access point and end up with my traffic sniffed. This is a paranoid view but that’s why I’d never do it.

Here’s one article but there are many others:

Thanks @dlyft

I think it’s best to consider every public WiFi Access Point to be compromised, and act accordingly.

Furthermore, when on any WiFi, it’s best to assume that every piece of traffic is being sniffed by the operator of the WiFi as well as everyone in range of the signals. There’s also potential sniffing upstream from the WAP.

@kspearrin Is bitwarden’s security robust enough to be used on public WiFi (without a VPN)? If necessary, you might need to break down your answer for the web-app, browser extensions, mobile applications, and desktop applications. Thanks!

hum… I think there is a bit of confusion here… unless I am mistaken:

  • An “Open WIFI” (or more precisely “unprotected WIFI”) means that your conversation between your machine and the WIFI Antenna is not encrypted. This means that anyone around you can see each and every bit of information that you send and receive.

  • However, when you use HTTPS, you will anyway encrypt your traffic between your client and the target server (bitwarden in this case). As a result, this should not impact the security of your transaction regardless of the encryption of your wifi stack.

…that being said…

  • Some “public networks” which usually are “unprotected wifi” are designed to perform various Man-In-The-Middle attacks (DNS intercepts + SSL termination). As a result “open-wifi” have a bad rep, but in reality the very same attacks are also possible on protected wifi accesses… I noticed this recently while accessing a “business area” in the Paris’s Orly airport. My cell phone gave me a tiny innocuous warning that the wifi was using an “untrusted” certificate proxy. In other words, all my SSL traffic would have been intercepted and decrypted on the fly.

regardless of unprotected or protected, if you are not on a trusted wifi, you should setup a VPN. I personally use when I travel a good old Asus Router with a Merlin firmware at home running the VPN software and a tiny traveling router with a VPN client which all my devices connect to. This is not too hard to setup and give a decent peace of mind.

1 Like

i don’t know how to read the code , but from what i have been able to understand from Bitwarden’s docs is that , Bitwarden hashes and salts your master password locally before transmission to their servers. I have myself verified this result with my local mitmproxy setup after stripping tls which we call https connection.

So , in the scenario where you are using your own personal device but with a public wifi connection , even a mitm attack too won’t be able to compromise your password. The most he would know would be your email address and your device fingerprint.

Let me know if i an wrong somewhere
Thanks :blush: