Which risk seems greater?
The risk from an encryption-utilising application like Bitwarden (I use it sandboxed on MacOS) being an electron app or the risk of using the Bitwarden’s website and trusting the web server not to serve you malicious code?
1 Like
What’s your method for sandboxing Bitwarden?
I downloaded it from the App Store. The .dmg file on their website isn’t sandboxed though.
Bump because I’d like to hear thoughts on this. Good discussion on the matter.
Wouldn’t the electron app be using javascript to handle the encryption too as it is not a native app? So the only concern would be the malicious web server in both cases.
That logic tracks with me, but honestly, I’m not qualified to answer definitively.
I would probably use the Electron app given that it is able to leverage the macOS Keychain for storing secrets. It would also be the only choice if you want offline access to your passwords.
1 Like
Electron = dumpster fire.
True, but for something like Proton, Tuta or Bitwarden, not using their electron apps would mean trusting the web server to not serve you malicious code as well in case the server is compromised.
But, as long as the encryption happens on the client and the server cannot update code running on the client, it (the server) shouldn’t be able to compromise you even if you were to get mitm’d, though ofc it depends on the app.
I’d use the electron app in a sandbox. Something like a cloud-password manager is something that needs to be very trusted anyway.