For example, letās say you have to log in to the web vault using a secure device, but on an insecure network (public wifi, for example). From what I understand, this is okay, because all the transmitted data is encrypted by HTTPS. But can someone looking at server logs see that you just accessed:
You should count on it always being visible. Itās called Server Name Indication and is used by servers to host multiple secure sites from the same IP.
Hello , my query is related to this topic.
I was looking for a clarification regarding the website-icon cache that is stored locally on our computer (and not about fetching the websites-icons from the endpoints.)
Unfortunately the help article āPrivacy when using Website Icons | Bitwarden Help & Supportā does not mention anything about the security of local cached storage of website icons.
On doing some checks myself , i found that the website icons were stored in an unencrypted format in the cached local storage, which could be viewed with any image viewer irrespective of lock state of the vault. Though some of them threw unsupported error but still could manage to see some of the web-icons. The directory i am referring to in case of windows is C:\users\user\AppData\Roaming\Bitwarden\Cache.
It would be great if there was some clarification regarding this.
If its the case as i indicated above , then it might be good idea to disclose it somewhere as to enable users to be better aware about their privacy/security threats.
For example- This might helpful for a user to decide, whether to keep website-icons on or off on a work computer/ etc.
I hope this would be clarified soon.
Thanks
On a related note I am fairly new to BW and in the process of migrating from 1PW. I was looking into the website icons use today and the references (in the FAQ info) about privacy concerns:
We understand that certain privacy-minded users may not want to use website icons. We provide the option to disable website icons on all Bitwarden client applications by turning off the following optionā¦
Is there any option to manually load your own icons? This is a feature 1PW has had for some time allowing you to use any image to create a logo for a vault entry. In addition to allowing greater user customisation (which can help identify entries) this also eliminates the need for BW to ping external addresses to get the icons, thereby largely alleviating the privacy concerns expressed above? If not currently possible is there any technical reason why BW could not be modified to do this (or should not be for security reasons)? [aside from the identified exposed cache situation @Gaurav has already raised above which already exists.]
(P.S. This was a function I found especially useful while using 1PW the last couple of yearsā¦)
EDIT: I have subsequently discovered (and as is typically the case, only shortly after posting this, via a vaguely related post) the 2018 Feature Request: Custom icons for items and folders/collections - so take it from this that it is not currently possible in BWā¦
Hey @Mycenius thanks for the feedback, custom icons is not currently available but as referenced in the article above, you can disable icons in the settings menu.
I mean, you can change the setting, but by then the icons have already been loaded. And the preference is not persistent, so the icons are loaded again on the next loginā¦
Is there any reason why web icon option canāt be stored in the vault, like some of the other vault preferences (theme, etc.)?
Yep exactly. The other PW Manager Iāve been using up to now appears to do that (although I have not verified that), and as it allows you to manually upload your own image file for each icon (I assume it resamples it to a suitable size at upload to save storage space - as I have uploaded some pretty big logo images into it in the past) it eliminates the need to source them externally completely (although still does do that be default where it can locate an icon).
Curiously enough my current PM only stores some of them encrypted in the vault (I had thought it was all - see here Protect yourself when using rich icons):
Icons you add to your itemsā¦ are encrypted with the rest of your data. However, the rich icons that are automatically downloaded are not encrypted.
So going the whole hog and surpassing the above and storing all icons in the encrypted vault would be a big plus IMO - for both the apps/extensions and the web vault!
I would like to understand the security implications of retrieving icons a little bit better.
As far as I understand the documentation teh Bitwarden server is fetching the icons and I am woundering how the server can fetch the icons if only encrypted data is transmitted to the server.
But I might be wrong and the clients are fetching the icons? I would appreciate a little clarification on this topic very much!
The clients are sending an unencrypted request to a special icon server (icons.bitwarden.net), which then fetches the icon and sends it back to the client.
For example, if you have a Google login stored in your vault, then the URL is stored in an encrypted form on the vault.bitwarden.com server, and may look as follows:
This encrypted cipher string is fetched by your Bitwarden client app and locally deciphered, storing the decrypted URL (https://accounts.google.com/v3/signin) in the device memory only.
Subsequently, the Bitwarden client app sends an HTML request of the form https://icons.bitwarden.net/google.com/icon.png to the icon server (icons.bitwarden.net). The icon server then fetches the icon from google.com and delivers it to the requesting client, which stores it in a cache on the local device (e.g., C:\users\user\AppData\Roaming\Bitwarden\Cache). In addition, icon images are cached by Cloudflareās Content Delivery Network, as described in the Help Documentation.
