Hacker News new | ask | show | jobs
by Macha 1915 days ago
Isn't this true for any service? We're just trusting that the bitwarden/server image or bitwarden.com won't do the same?

Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.

Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
1 comments
jamescontrol 1915 days ago
Yes, but if a company does this, they are essentially killing themselves. They have presumably spent a lot of time creating a company, gain customers etc, whereas a single(?) maybe anonymous open source developer does not have that much to lose.
link
alpaca128 1915 days ago
> if a company does this, they are essentially killing themselves

...or they have to do it because of the NSA and weirdly 99% of users don't care or don't have the means to do anything about it.

Companies aren't trustworthy, they are bigger targets but also targets with thicker armor.

I just go with the offline route, KeepassXC runs well enough for me and is compatible with phones. I need to handle data sync myself but it's not like I change or add new passwords every day.

link
arkitaip 1915 days ago
The single dev has their reputation and professional career to lose whereas companies can and regularly engage in all kinds of legal and or judo to avoid any responsibility towards users.
link
cromka 1915 days ago
A single dev is an exploitation sitting duck. They can get hacked, they can be stoled from, they can be targeted by the NSA (or FSA, ...), they can make a small but fatal mistakes, and I doubt they conform to the level of policies that companies like FAANG impose on their security-critical teams.

And all of the above are very good plausible deniability excuses, such that this single developer could, after all, be malicious and still not loose his reputation simply by claiming he got targeted by a 3rd party.

Let that sink in: a single developer and their PC is a gatekeeper of everyone's safety.

link