[bstsb]

caveat not properly addressed in the blog post: all "attacks" are assuming full takeover of web servers, which is certainly a scenario that should be protected against, but isn't really a vulnerability unless chained with something else.

almost all online services would be "vulnerable" in this way - take almost any login system. an RCE on a system hosting a login page would obviously be vulnerable to account takeover

better link here (the technical details): https://zkae.io/

[tptacek]

No, the whole point of these systems is that you can trust them even if their servers are compromised. If you exclude that possibility from your threat model, you might as well not bother encrypting at all; just send your passwords to the server in an HTTPS POST.

[Someone1234]

I use Bitwarden, and I like them, but I still disagree.

One of the things Bitwarden's design is MEANT to offer is "zero knowledge" meaning that it is an AES-256 encrypted database "blob", with PBKDF2 derived master password.

So "compromised" server absolutely IS something the DESIGN should protect against. If compromising Bitwarden's servers lets them extract what they say they can extract, then the whole "zero knowledge" assurance is dead in the water.

Plus, Bitwarden themselves don't even need to be compromised, we could have a DNS redirect into a server the bad-guys (inc. national-state) control. Then leverage that into complete compromise of your database.

[fullstop]

Does't TLS pinning alleviate the DNS attack?

[kenniskrag]

Not if the advertise zero knowledge encryption. As far as I understand the password sharing / collaboration feature is often the problem.

Second: The provider can get the passwords with a simple server change.