Hello. New user here. In the past I had experience in using an offline password manager. Now I am interested in using bitwarden because of its seamless sync between desktop and mobile.
Now, I can’t help but wonder, what keeps the dev from going rogue and publishing a malicious update that allows the bitwarden software to upload all the passwords available to the dev himself? I understand that since the code is open source you will say he can’t dare doing it. However, can’t the dev just postpone the open sourcing of the newest update for a few days and in the time being, lets us update our bitwarden software with the malicious one?
You can choose to ignore updates and stick with a version you thoroughly reviewed on all platforms except the web vault (which you can choose not to use).
So, basically there is nothing that can prevent him. And this is probably true for any other piece of software that I use: I have to trust the person coding it. Or I have to read all the code of Bitwarden on GitHub. Speaking of which, have any user read through all the code of Bitwarden? I am not a software engineer, so I don’t know if this is doable or so. However, was just curious.
Basically nothing that’s right, and you’re also right it’s true for any other piece of software, especially non open source ones.
There are discussions about an Independent security audit, but I don’t think it has been performed yet.
I have read through the entirety of the source code, and there are no obvious problems or backdoors I can see.
However, someone could make a backdoor in the form of a bug that is hard to catch. That’s why more eyeballs reading the whole source code helps a lot.
How much time did it take for you to read all the source code?
It wasn’t really that bad. Maybe a few hours over the course of a few days.
I usually have a list of source repos I want to read and read a file or two on my down time. I also like to scribble down a mental model of how the modules work together while I do it.
@bobby_shaftoe For your legit concerns there’s a nice solution: run your own instance of Bitwarden.
Since devs already made it wonderfully easy to run the full Bitwarden stack using Docker, you could go ahead and clone the involved Dockerfiles, Bash scripts and whatever else is necessary to ensure maximum security with a version you trust as @Crocmagnon mentions; next step would be to run it on a box or VPC you trust, spin a VPN and you’re ready to go.
It’d be nice, though, to be able to use some of the premium features - like attachments - in your self-hosted vault. For instance, I think that attachments should be part of the ‘free’ package (I’m a paying subscriber FWIW), otherwise is like eating bread without butter.
Actually you can use premium features on a self hosted instance. See https://help.bitwarden.com/article/licensing-on-premise/
@cig0 Thanks for the advice. For someone who doesn’t want to trust the developer, your advice should work. However I don’t know that much about reading a source code and understanding (I wish I had this ability, though). So, I guess, I have no chance but to trust the developer, and hope that other people using Bitwarden at least read the actual source code and keep us, others, updated.
This should be pretty straightforward tho. To setup a proper lab environment, in addition to Docker we will need a virtualizer (Virtualbox, VMware, KVM/QEMU, etc.), a GNU+Linux distro, OpenVPN and git. I’d add Vagrant to the mix as it will provide us a nice layer of usability on top of everything.
I’ll try to put together a guide this weekend: the final result will be a self-hosted Bitwarden backend installation created from source and accessible only through a VPN. I’ll let you know when it’s ready.
Why would you need a VM ? You could just spin a VPS from a cloud provider and have your backend accessible from anywhere in the world.
You could still use a VPN to connect to it, and for that I suggest taking a look at either Algo VPN (my favorite) or Outline VPN (a tool created by Google, really simple to use and doesn’t use any Google service) in order to ease the setup.
I might be a bit late to the party, but i feel like i could add a bit to the original discussion still.
As the original poster already noted in a reply: You have to trust the dev - true for any software, open source or not. The difference being here that this trust can be verified by examining the source.
One of the best assurances is simple though: With Bitwarden the dev has a steady income from premium and commercial users. Most people would not want to jeopardise that, especially when betraying this trust also runs afoul of the law. Not to mention that he would be caught quite easily.
See also the relevant FAQ