Bitwarden going proprietary?

Yes, except that you are making assumptions, officially it is a bug and a misinterpretation of the community, there is no loss of confidence to have, nothing changes, they have clarified very quickly the situation, without tongue in cheek.

This a helpful narrative here …
Perhaps it is wishful thinking that the whole Open Source model can sustain itself and progress as is pointed out here …

Agree.

I was just thinking the same thing, just stick with Bitwarden or choose something different.

Yes, life can be that simple, in a broader perspective.
I mean its not like there is one Password manager, one woman, one job etc :wink:

2 Likes

A post was split to a new topic: Password manager (aside from Bitwarden) compatible with SimpleLogin API?

sorry, may i ask what do you mean “sharing passwords”?
im trying to understand this vulnerability and how it may affect proton drive and pass

KeepassX has been unmaintained for nearly three years, so you should move to KeepassXC if you’re considering proceeding with that route.

Except it’s not E2EE anymore if you’re sharing, genius.

If you have a file on Proton Drive, Tresorit, Mega, etc, and you create a sharing link without password, you’re basically sending the decrypted file to server. Forget E2E, it’s not even E anymore.

Well, password managers often allow you to share passwords, or even whole vaults, with family members. So you and your wife/husband/kids/etc don’t have to create multiple Netflix entries, one in each person’s password manager.

If you’re sharing a file with a password (from a file hosting cloud such as Proton Drive, Tresorit, Mega, etc) it may just reencrypt using a new private key, so I guess you can still keep it E2EE.

If you’re sharing between accounts, as password managers do, you need a way to communicate keys between accounts, which seemingly involves some server mediation (see the link I posted, that’s exactly the issue they found with Tresorit). That’s why having an open-source app only doesn’t suffice for when there’s sharing involved, ideally you’ll want the server code to be open source as well.

ah i see what you mean.
well from protons website:
If you’re the vault administrator, you can share your vault key and Proton Pass will encrypt it with your recipient’s address key, ensuring only they can access it.

After your intended recipient receives your encrypted vault key, they will validate its signature using your address key. This step verifies that the invitation legitimately came from you. Once the signature has been validated, Proton Pass will encrypt the vault key using your recipient’s user key and store it securely.

however i do understand what you mean, there is no way to actually verify its doing what it says cause backend is not open source

That’s interesting. It might be actually possible to be all done in the clients by that description. It would be cool if someone could go through the code and pay special attention to that part

I’m pretty sure that’s not how it works. The file is still encrypted on the server. But the sharing link you create contains a key to decrypt the file. As long as you share the link in a secure manner then nothing is exposed.

I believe that’s what security audits are for, which proton pass has had :slight_smile:

1 Like

Tell PG to drop all their “open source” requirement for recommendations, then, since audits are all we need.