Question for Bitwarden programmers and designers
Curious about your response to this Tavis Ormandy blog post critiquing extrinsic password managers? Tavis is a Google security researcher. Thx.

Absolutely -

1 Like

@tgreer Thanks for the link. Very helpful. Cheers.

1 Like

Browsers are the most insecure software ever created and they will be for years to come, not the current standards or the upcoming ones have addressed the issue because its too complex to address. Not even the titans (like Google) can overcome the issue as it is innate to how the internet works.

A browser is just an application that evaluates code. That’s it. Is the code is harmful? That’s the question right there my friend. The ordeal is to stop said code from grab your data, delete your files, making your computer explode and steal your girlfriend. Well not the last one, but every time you enter any site, each connection made puts you in danger.

If you’re paranoid stop reading or you’ll burn your computer and will never touch a single piece of technology again.

From the the speed, quantity and quality of text you type to the sites you visit, the hours you visit them, how many times you visit them, how many time you stay in a site, where you move your mouse when you’re in a site, how many times you click… and the longest list of et cetera you can imagine.

On top of that, browser extensions: if a browser is Hitler… an extension is Satan. Just look in your search engine of preference “why browser extensions are insecure”. Browser limits the access from one site, so it only reads its own data; extensions can read all the information on all the sites all the time (depending on the permissions granted, of course).

Is not a case of “if”, is WHEN extensions become compromised can simply send your banking information to a third party. Now the reality of it all: Can happen? Yes sir. Has happened? Yes. Will happen again? Yes. How likely is for you to be affected? is easier to be hit by a lighting in the middle of a desert.

Security is evolving more and more, checks are always in place; heuristics, machine learning and even IA are huge tools to help hunting problems and we’re embracing them. So much money is constantly being poured towards eradicating this problems, there’s people monitoring and working 24/7 checking millions of lines of code. Look at Apple for example, they moved their security to hardware-based solution (secure enclaves which are almost unbreakable).

Should you be careful? Yes, don’t lax on security as common sense will always be the best approach towards security. But when reading this kind of material take it with a grain of salt as this are abstracts and proof of concepts, some of them are just hypothesis on how if a weakness is discovered the whole system can collapse.

In 2017 when SHA1 collisions were the big news the world lose its head, I’m still waiting for anything to happen. It took researchers with endless money and resources years and years and nitpicking every variable to come with a collision, yet the IT community screamed like me when I see a cockroach fly.

TL:DR: research papers and factual reality are two different things, use common sense. Also if you really want to keep your passwords secure from this kinds of attacks skip the browser altogether and use something outside the browser.

1 Like

You are attacking a straw man. These points don’t lessen the author’s argument around extension content scripts, which (for some) create a no longer justifiable trade-off between convenience and security.

Most people wouldn’t walk on a thin layer of ice on a frozen lake and say “it’s the lake’s fault and we’re gonna walk anyway”.

User choice would be preferable. Some like to walk on thin ice (auto-fill galore) and get away with it. Others prefer to sit on the side of the lake and enjoy life in more safety.

Currently, the only way to close the content scripts attack vector is to not use the browser extension and resort to the native app. It would be amazing if the browser extension could offer an option to disable content scripts, which would take away a small bit of functionality but boost security. Again, “user choice through settings” being the key phrase.

I really don’t understand your reply:

…is basically what I meant:

And I stand by it. Browsers are insecure, extensions even more. The less you depend on them, the better.