Protection from HTTPS Inspection?

Hello,

I’m curious if anyone can provide any clarity on what information might be vulnerable to exposure in a scenario where an organization is performing HTTPS inspection.

In this scenario, the organization can see any clear text exchanged during a session. So I would assume that my Bitwarden data would be exposed because of this. That is unless the vault data is further protected due to the vault encryption…

Can anyone comment of this?

Thanks…

The conventional wisdom is that you should not log in to personal accounts (including your personal Bitwarden account) on a computer or a network controlled by an organization (especially one that uses SSL/TLS decryption to inspect network traffic).

That being said, your master password is thoroughly hashed (using the KDF configured for your account) before being transmitted, and the account encryption key and all vault data are AES-encrypted before transmission. Thus, the organization would only be able to view any non-encrypted information (e.g., your email address username, your KDF settings, various timestamps, etc.) when inspecting HTTPS traffic.

However, bear in mind that an organization that performs SSL decryption on internet traffic may also be performing more intrusive monitoring on computers that have been issued (or configured) by their IT Department. This could include anything from keylogging, clipboard snooping, screenshot logging, etc.

1 Like

All valid points regarding keylogging etc…

I was mainly interested in the state of the transmitted data. I guess I could have traced this with fiddler but really wanted to hear from this community.

Glad to know that the “sensitive” data will be encrypted in-flight inside the https session.

Thanks for the response!

2 Likes

The vault encryption itself is described in “somewhat technical” detail here: Bitwarden Security Whitepaper | Bitwarden Help Center