Their is a sort of meta data leak during the transit incase somehow your TLS gets compromised.
The current encryption method does not encrypt (with AES256) “Field names” and also your “password revision date”.
So theoretically, the server or a mitm could know how many usernames and passwords a given user has stored in his vault.
Also it can be determined by server or mitm, if you have saved your card details in your vault as the field “cardholder name” would appear.
This meta data could also be known through favicons as well ,but we have an option to switch that off.
This doesn’t compromise our actual data but revealing metadata could also be of concern for some of us and users should be made aware of it.
I don’t know whether its possible to encrypt the “fields” as well but would love to hear about practical difficulties and solutions for it.
What are we looking at in your screen capture, @Gaurav, and how can one replicate it to check for themselves? Thanks!
Ohh , The screen capture is of wireshark , with decryption keys of the browser being fed in it at the same time through a sslkeylogfile.
So in short its just stripping the transport layer security and seeing whats being transmitted to the servers.
The same can replicated through multiple ways , easiest would be through network tab of the browser dev tools.
So this is a sync update of vault data back to the Bitwarden servers then? Gotcha.
Hi @Gaurav, you are correct, the data structure is public while user data is encrypted. I’ll bring the feedback to the team that this could be communicated better.
Okay so earlier i assumed that everything was encrypted as a whole data set (commonly referred to as a vault) as its usually in the case of standard password manager like keepass.
Also since there is no block level syncing currently in bitwarden.
I understand this might be done as result of maintaining performance and speed of syncing across devices , but still encryption of data structure too would be an ideal solution privacy wise.
Maybe its considered in future by devs , keeping in mind its speed and reliability
This is pretty common with other online password managers, some even do it far worse.
The trick is that the server needs to know when you updated or changed things in your vault, so encrypting that would not be possible.
What Bitwarden does is good enough, but 1Password does it slightly better, as they group all vault items into their own blob and encrypt that. It would be cool if Bitwarden did things like 1Password does, but honestly, I’m not losing sleep over it.