Security audit

[fredericmohr]

Not sure in which repository this belongs, probably in all of them. Bitwarden should get a security audit to find and squash any security issues that might hide somewhere. Obviously there is the problem of financing, so maybe this can be of help. Doesn't hurt to try it, right?

https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/
https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform
https://wiki.mozilla.org/MOSS/Secure_Open_Source

[kspearrin]

Thanks for the links. We are planning to have a formal audit performed.

If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website.

[kspearrin]

Thanks for the links. We are planning to have a formal audit performed.

If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website.

[bcbane]

So how close is Bitwarden to getting a formal security audit?

[bcbane]

So how close is Bitwarden to getting a formal security audit?

[kspearrin]

@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year.

[kspearrin]

@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year.

[heyitsanthony]

I noticed two potential issues from looking over the code:

• SHA1 OAEP as an option, despite SHA1 being regarded as weak
• AES key exchange isn't using digital signatures; it appears that a malicious server can generate its own AES keys using the client's public key, then pass them back to the user.

/cc @brianredbeard

[heyitsanthony]

I noticed two potential issues from looking over the code:

• SHA1 OAEP as an option, despite SHA1 being regarded as weak
• AES key exchange isn't using digital signatures; it appears that a malicious server can generate its own AES keys using the client's public key, then pass them back to the user.

/cc @brianredbeard

[kspearrin]

@heyitsanthony Thanks for having a look.

• SHA1 is only used in one place throughout the application, as the underlying hash of RSA OAEP padding. My understanding from discussions on this subject is that even though SHA1 on it's own has shown to be weak, it does not weaken the security of RSA OAEP (where it is spec'd as the default function). Further, SHA256 is an option for OAEP (and was actually what we originally implemented), however, we are restricted by the least common denominator of all of the platforms that we support. For example, iOS only supports OAEP with SHA1. Our code is written in a way that we can easily migrate to OAEP with SHA256 once platform support is uniform.
• Good catch. We should sign the organization key to prevent a bad actor on the server or MITM which could result in encrypting data with a forged key. We'd need to come up with a way to produce a signature from the key exchange that would work in this scenario where user's public keys and the organization's long-term AES key (encrypted) is stored on the server.

[kspearrin]

@heyitsanthony Thanks for having a look.

• SHA1 is only used in one place throughout the application, as the underlying hash of RSA OAEP padding. My understanding from discussions on this subject is that even though SHA1 on it's own has shown to be weak, it does not weaken the security of RSA OAEP (where it is spec'd as the default function). Further, SHA256 is an option for OAEP (and was actually what we originally implemented), however, we are restricted by the least common denominator of all of the platforms that we support. For example, iOS only supports OAEP with SHA1. Our code is written in a way that we can easily migrate to OAEP with SHA256 once platform support is uniform.
• Good catch. We should sign the organization key to prevent a bad actor on the server or MITM which could result in encrypting data with a forged key. We'd need to come up with a way to produce a signature from the key exchange that would work in this scenario where user's public keys and the organization's long-term AES key (encrypted) is stored on the server.

[dralley]

I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden

[dralley]

I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden

[ple103]

https://sakurity.com/securelogin
Free security audit if you implement SecureLogin.

[ple103]

https://sakurity.com/securelogin
Free security audit if you implement SecureLogin.

[brianredbeard]

@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name).

@ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance Make sure you write down your master password and that you never used this password before. is going to be a challenge for some people to accept.

[brianredbeard]

@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name).

@ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance Make sure you write down your master password and that you never used this password before. is going to be a challenge for some people to accept.

[kspearrin]

@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit encKey). See:

5a67df6
bitwarden/web@9a7dac7
bitwarden/browser@8ff336d
bitwarden/mobile@7823ec3

This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:

• Signing the org key after a new user is confirmed (not just for the admin user that created the org).
• Signing org keys that already exist under the Rsa2048_OaepSha256_B64 and Rsa2048_OaepSha1_B64 enc types. We'll need a migration prompt of some sort for this.

After these scenarios are resolved we can make the mac checks strictly enforced.

[kspearrin]

@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit encKey). See:

5a67df6
bitwarden/web@9a7dac7
bitwarden/browser@8ff336d
bitwarden/mobile@7823ec3

This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:

• Signing the org key after a new user is confirmed (not just for the admin user that created the org).
• Signing org keys that already exist under the Rsa2048_OaepSha256_B64 and Rsa2048_OaepSha1_B64 enc types. We'll need a migration prompt of some sort for this.

After these scenarios are resolved we can make the mac checks strictly enforced.

[davidkassa]

I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core

[davidkassa]

I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core

[kspearrin]

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

[kspearrin]

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

[davidkassa]

I didn't either. Is adding a regular scan to the CI process worthwhile? I wanted to play but trying to decide if it's worth spending a couple of nights on.

…

On Aug 3, 2017, at 8:06 PM, Kyle Spearrin ***@***.***> wrote: @davidkassa Thanks for the scan. I don't really see anything of concern in that report. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[davidkassa]

I didn't either. Is adding a regular scan to the CI process worthwhile? I wanted to play but trying to decide if it's worth spending a couple of nights on.

…

On Aug 3, 2017, at 8:06 PM, Kyle Spearrin ***@***.***> wrote: @davidkassa Thanks for the scan. I don't really see anything of concern in that report. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[kspearrin]

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

[kspearrin]

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

[davidkassa]

Cool. I got it covered :) I'll include details in the PR.

…

On Aug 4, 2017, at 3:04 PM, Kyle Spearrin ***@***.***> wrote: @davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[davidkassa]

Cool. I got it covered :) I'll include details in the PR.

…

On Aug 4, 2017, at 3:04 PM, Kyle Spearrin ***@***.***> wrote: @davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[petervnv]

This could also be helpful. Not sure you know it yet

https://lgtm.com/projects/g/bitwarden/browser/

[petervnv]

This could also be helpful. Not sure you know it yet

https://lgtm.com/projects/g/bitwarden/browser/

[kspearrin]

Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far.

[kspearrin]

Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far.

[Moxville]

some links I came across (might be useful)

Security Automation and Risk Management for Open-Source Code
https://www.sourceclear.com/

Node Security Platform
https://nodesecurity.io/

Synk
https://snyk.io/

[Moxville]

some links I came across (might be useful)

Security Automation and Risk Management for Open-Source Code
https://www.sourceclear.com/

Node Security Platform
https://nodesecurity.io/

Synk
https://snyk.io/

[kspearrin]

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

[kspearrin]

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

[stefanmaric]

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

[stefanmaric]

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

[stefanmaric]

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1

[stefanmaric]

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1

[Moxville]

High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities.
Just upload your iOS or Android mobile app to start a DAST, SAST and behavioral audit for OWASP Mobile Top 10 and other vulnerabilities.
https://www.htbridge.com/mobile/

[Moxville]

High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities.
Just upload your iOS or Android mobile app to start a DAST, SAST and behavioral audit for OWASP Mobile Top 10 and other vulnerabilities.
https://www.htbridge.com/mobile/

[Moxville]

Check websites for security and performance issues with Sonar (might come in handy)
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
https://sonarwhal.com/
https://sonarwhal.com/scanner/

Scanner throws some errors for "https://vault.bitwarden.com/"
https://sonarwhal.com/scanner/7e565752-f659-4a25-9f03-d104b4e6fa2b

[Moxville]

Check websites for security and performance issues with Sonar (might come in handy)
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
https://sonarwhal.com/
https://sonarwhal.com/scanner/

Scanner throws some errors for "https://vault.bitwarden.com/"
https://sonarwhal.com/scanner/7e565752-f659-4a25-9f03-d104b4e6fa2b

[kspearrin]

@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities.

[kspearrin]

@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities.

[paragonie-scott]

I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above.

Sorry for the confusion here.

[paragonie-scott]

I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above.

Sorry for the confusion here.

[kspearrin]

Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations.

[kspearrin]

Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations.

[MarcReckel]

2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;)

i can only speak for myself but i would participate if there is a clear goal in terms of money needed.

Best regards

[MarcReckel]

2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;)

i can only speak for myself but i would participate if there is a clear goal in terms of money needed.

Best regards

[mike-of-earth]

I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while.

[mike-of-earth]

I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while.

[JSN190]

Echoing the sentiment here. The only thing that could entice me even more is a full audit.

[JSN190]

Echoing the sentiment here. The only thing that could entice me even more is a full audit.

[bmather9]

I'd pay for premium if there were a full audit.

[bmather9]

I'd pay for premium if there were a full audit.

[indolering]

Publishing an informal security model would be a good start. There are lots of bits-and-pieces on the website and in your repos, but they are pretty generic and don't go into the necessary technical detail.

[indolering]

Publishing an informal security model would be a good start. There are lots of bits-and-pieces on the website and in your repos, but they are pretty generic and don't go into the necessary technical detail.