I see that browser addons are discouraged in Trivalent. But there are also mentions in the docs about how to get Bitwarden’s addon working. So I’m getting mixed signals.
Am I supposed to find another way of filling my passwords? The web vault doesn’t feel like a good idea, because it won’t do the URL-matching that the addon does, which is very valuable to protect me from phishing. And it requires V8 (disabled by default in Trivalent), just like the addon. The desktop app doesn’t appeal to me at all, because it’s Electron, which is highly discouraged in secureblue.
Also: Does the toggle to enable addon support itself have any security implications? Or does it mean nothing until I actually install an addon? What I mean is, do I take a big security hit just for enabling addons at all, even before I install any?
KeePassXC is pretty nice, but I find it difficult to keep it synced between multiple devices, all of which are running a different OS. So I went for the cloud option.
I opted for convenience, like you. Unfortunately, this vulnerability in extensions on web browsers combined with the Electron app on Linux and the slower response for a fix in the issue from Bitwarden is forcing me to revisit my decision.
Secureblue locks everything down as much as possible. It’s up to you to decide which restrictions you want to ease up on.
Long story short: if you are willing to sacrifice convenience for an increased attack surface, go for it. I do it, as I can’t be bothered with manually copy pasting.
Sorry, are you saying that the Trivalent browser in SecureBlue is exempt from the Zero-Day Clickjacking Vulnerability reported to affect many password manager extensions?
That thread you linked doesn’t make KPXC look so good, either. But IMO, phishing is a more important attack to defend against, because it’s a lot more common than clickjacking. We all like to tell ourselves that we wouldn’t copy-paste a password into a fake website, but you know, some of those phishing sites are really convincing, so I think it would just be a matter of time.
Hmmmm, what specifically did I say to make you extract that conclusion? I said SecureBlue locks down as much as possible, not that it protects against 0 days. I do not believe Trivalent will protect you if you enable an extension vulnerable to click jacking, hence why extensions are disabled by default to reduce the attack surface.
Another option would be to have a separate profile with the extension and only visit sites that need the extension with that profile, keeping the main profile you use without extensions.
While certainly possible, it unfortunately wouldn’t be practical for me. Almost every site I open is something I have to log into. So really it’s the main profile that needs the extension.
Also, most password managers like Proton Pass, OnePassword, and Bitwarden all use Electron for their desktop app. The only one that is native is KeepassXC with QT.