I’m an activist in a country that doesn’t like activists.
I currently use Bitwarden to store my passwords, but after reading this from the ACLU https://www.aclu.org/how-malicious-software-updates-endanger-everyone I’m concerned that Bitwarden could be court-ordered into pushing malicious JavaScript to my device when logging in via the web UI to steal my master password.
Does anyone know if they can be court ordered into that? I am also slightly concerned that they could get a court order in the united states so it may not matter if Bitwarden can’t be court ordered by my country
What does the rest of your OPSEC look like? Are you using multiple devices and sync? If so, consider only using one to sign in to accounts and whatnot. No need for sync which means offline vaults for which KeePassXC is best.
You can self-host Vaultwarden, as well. I build the application from source (git pull + cargo build, very simple), so I can easily review the changes before updating.
Just make sure you set up frequent backups, and if you can, make it accessible only via a private VPN connection. Which also isn’t really that hard to do.
True, but most people aren’t going to know how to do that, including myself. Wish I did, and I have read up on how to self-host some, but still don’t really understand it. I damn sure wouldn’t be able to review updates to see what’s in them before updating so I assume most others can’t either.
You can mitigate those concerns by only using their apps published out of band, e.g. the desktop app, extension, and mobile app, which should not be loading code dynamically from the server and thus it would be harder to push out a malicious update targeted only to one person.
Unfortunately my understanding is some account settings can only be changed from the web vault at the moment.
I’m an activist in a country that doesn’t like activists.
For activists, KeePassXC is generally better for maximum privacy and control. I don’t think it wise to use Bitwarden in your case.
Cloud dependency: Bitwarden (unless self-hosted) relies on servers in the U.S., part of the 14-Eyes alliance. Authorities could compel data disclosure or force malicious updates.
On the Other hand KeePassXC Fully offline, file-based, no servers.