Server: Equivalent Domains should not be sent/stored as plain text.

Created on 14 Feb 2017  路  7Comments  路  Source: bitwarden/server

Right now the Equivalent Domains is sent from the client and stored on the server in plain text. This should be encrypted on the client the same as passwords/sites.

This isn't a huge security issue, but if the database was compromised then the list of domains would be available from each account. This list of domains would be ones that the user has accounts on creating a privacy issue.

Most helpful comment

Lastpass has an option to, when adding a new association, to optionally share that association (check box at a prompt) with other users. Something like that would be nice.

All 7 comments

The idea behind this is so that we could improve the global associations in the future as we see popular custom associations, however, I can see where privacy concerns can come into play. Thanks for the feedback.

Could using server-side encryption for this stored data be an option? Of course all the username/password/etc. data is encrypted client-side before being sent off to the server & that shouldn't change but when it comes to what is being stored in plain text on your servers encrypted storage seems better than nothing. It wouldn't provide protection of this data from bitwarden server admins as they'd have access to the key used but it would be an extra layer of defense if a server was compromised by an outside attacker. Just a suggestion & perhaps you're already implementing something like that server-side or have a good reason not to. I'm not a programmer, I'm a sysadmin just here trying to learn more about bitwarden & thought I'd give you my two cents, though I'm sure it's worth far less. Thanks for a great product!

@tllong2 Thanks for the input. Currently we do not encrypt this data in any way. If we were to implement this it would definitely be client-side encryption like all things in your vault.

Looking at my custom equivalent domains you could discern where I bank, what insurance I use, which government sites I log into. If it can be linked to me I would want it encrypted but I can see merit if it lets others benefit from my custom equivalent domain associations.

Lastpass has an option to, when adding a new association, to optionally share that association (check box at a prompt) with other users. Something like that would be nice.

I like that idea @sreich all user domains are encrypted but with an option to submit the domains which get stored in the database not associated with the user account to be reviewed to potential be added to the global list.

Reading this thread it looks to me two points are clear:

  • We want the equivalent relationship domains we use to be fully protected
  • We see the value in being able to add those relationships to the global equivalents if enough people use them.

Perhaps when you add such relationship the user could send an optional message to the server with the suggestion, which would be stored anonymously?

Was this page helpful?
0 / 5 - 0 ratings