[andix]

In theory the Bitwarden server (and Vaultwarden) shouldn't have any access to the passwords, so a data breach of the server should never disclose any contents of the vault. Vaultwarden "feels" safe to me, but I would also be interested if there is some possibility it could introduce some degraded security compared to the official Bitwarden server.

My Vaultwarden instance is "hidden" on a subdomain that probably nobody would ever guess (or scan for), so at least there is some added security by obscurity. If someone would know my credentials and master password, they probably won't find where to use them. In this case the reverse proxy in front of it also serves other content, just be hitting the IP nobody would ever know there is a Vaultwarden running on this server.

Edit: the subdomain is behind a wildcard DNS, so it's also not listed in the zone file. Although it will show in DNS logs of the ISP when I'm using it.

[archi42]

1. If an attacker got your credentials, they'll probably also have the server URL. Reasoning: They probably infected your machine with infostealer malware and keylogged the password. Or are you using the exact same credentials someplace else?

2. If they can figure out your domain name, they can check crt.sh for "mysecrectvaultwarden.domain.tld". If that only reveals wildcard certs and they're really interested in you or your company, they could try bruteforcing the DNS name.

3. If they breach the vaultwarden server and in case you're using the web UI, they can try to inject some JS to steal the credentials.

What I do to mitigate this: 1. Vaultwarden only reachable via VPN (e.g. wireguard on OpnSense) 2. Custom CA on all devices (e.g. step-ca with name constraints and local ACME [careful to put DHCP clients on a subdomain!]) 3. DNS for my LAN+VPN is not public. This massively reduces the external attack surface, compared to having a bunch of services available behind traefik.

[andix]

I know it's not really secure, it's just hidden to some extent. In a way that an average attacker probably wouldn't find it right away. If someone is really looking for it, it can be found.

A VPN would provide better security for sure. But also make it harder to use (VPN needed on all devices).

[neurostimulant]

AFAIK if you type something in the browser's omnibar, the search provider such as google will receive the autocomplete query, so google will at least know your secret domain. If you're using letsencrypt, your subdomain will show up in the public CT log, which is probably being mined by some data or security companies. Your dns providers will also know this secret subdomain as well and and some data companies might be able to obtain them.

[chrismorgan]

Firefox seems to be moderately conservative about what it does search autocompletion on. Type in the full URL, protocol and all, and it doesn’t look like it leaks anything after the colon.

As for CT logs, this leak is avoided by using a wildcard certificate, which Let’s Encrypt supports.

[aborsy]

Good point actually, the passwords are encrypted with official Bitwarden client apps (unless using web app).

[andix]

I think even the web app does the encryption in the browser.

The bitwarden windows app and the browser extension are more or less just the web app inside a webview.

[BOOSTERHIDROGEN]

How do you hide subdomain ?

[evulhotdog]

You don’t, and they’re not really hiding anything from anybody who has any knowledge in the security space.