Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security audit #27

Closed
fredericmohr opened this issue Jan 19, 2017 · 59 comments
Closed

Security audit #27

fredericmohr opened this issue Jan 19, 2017 · 59 comments

Comments

@fredericmohr
Copy link

@fredericmohr fredericmohr commented Jan 19, 2017

Not sure in which repository this belongs, probably in all of them. Bitwarden should get a security audit to find and squash any security issues that might hide somewhere. Obviously there is the problem of financing, so maybe this can be of help. Doesn't hurt to try it, right?

https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/
https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform
https://wiki.mozilla.org/MOSS/Secure_Open_Source

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Jan 19, 2017

Thanks for the links. We are planning to have a formal audit performed.

If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website.

@bcbane
Copy link

@bcbane bcbane commented Mar 23, 2017

So how close is Bitwarden to getting a formal security audit?

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Mar 23, 2017

@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year.

@heyitsanthony
Copy link

@heyitsanthony heyitsanthony commented Jun 15, 2017

I noticed two potential issues from looking over the code:

  • SHA1 OAEP as an option, despite SHA1 being regarded as weak
  • AES key exchange isn't using digital signatures; it appears that a malicious server can generate its own AES keys using the client's public key, then pass them back to the user.

/cc @brianredbeard

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Jun 16, 2017

@heyitsanthony Thanks for having a look.

  • SHA1 is only used in one place throughout the application, as the underlying hash of RSA OAEP padding. My understanding from discussions on this subject is that even though SHA1 on it's own has shown to be weak, it does not weaken the security of RSA OAEP (where it is spec'd as the default function). Further, SHA256 is an option for OAEP (and was actually what we originally implemented), however, we are restricted by the least common denominator of all of the platforms that we support. For example, iOS only supports OAEP with SHA1. Our code is written in a way that we can easily migrate to OAEP with SHA256 once platform support is uniform.
  • Good catch. We should sign the organization key to prevent a bad actor on the server or MITM which could result in encrypting data with a forged key. We'd need to come up with a way to produce a signature from the key exchange that would work in this scenario where user's public keys and the organization's long-term AES key (encrypted) is stored on the server.
@dralley
Copy link

@dralley dralley commented Jun 18, 2017

I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden

@ple103
Copy link

@ple103 ple103 commented Jun 18, 2017

https://sakurity.com/securelogin
Free security audit if you implement SecureLogin.

@brianredbeard
Copy link

@brianredbeard brianredbeard commented Jun 18, 2017

@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name).

@ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance Make sure you write down your master password and that you never used this password before. is going to be a challenge for some people to accept.

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Jun 19, 2017

@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit encKey). See:

5a67df6
bitwarden/web@9a7dac7
bitwarden/browser@8ff336d
bitwarden/mobile@7823ec3

This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:

  • Signing the org key after a new user is confirmed (not just for the admin user that created the org).
  • Signing org keys that already exist under the Rsa2048_OaepSha256_B64 and Rsa2048_OaepSha1_B64 enc types. We'll need a migration prompt of some sort for this.

After these scenarios are resolved we can make the mac checks strictly enforced.

@davidkassa
Copy link

@davidkassa davidkassa commented Aug 3, 2017

I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Aug 4, 2017

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

@davidkassa
Copy link

@davidkassa davidkassa commented Aug 4, 2017

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Aug 4, 2017

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

@davidkassa
Copy link

@davidkassa davidkassa commented Aug 4, 2017

@petervnv
Copy link

@petervnv petervnv commented Sep 16, 2017

This could also be helpful. Not sure you know it yet

https://lgtm.com/projects/g/bitwarden/browser/

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Sep 16, 2017

Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far.

@Moxville
Copy link

@Moxville Moxville commented Sep 19, 2017

some links I came across (might be useful)

Security Automation and Risk Management for Open-Source Code
https://www.sourceclear.com/

Node Security Platform
https://nodesecurity.io/

Synk
https://snyk.io/

@kspearrin kspearrin changed the title Bitwarden security audit Security audit Oct 2, 2017
@kspearrin
Copy link
Member

@kspearrin kspearrin commented Oct 2, 2017

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

@stefanmaric
Copy link

@stefanmaric stefanmaric commented Oct 2, 2017

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

@stefanmaric
Copy link

@stefanmaric stefanmaric commented Oct 2, 2017

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1

@Moxville
Copy link

@Moxville Moxville commented Oct 12, 2017

High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities.
Just upload your iOS or Android mobile app to start a DAST, SAST and behavioral audit for OWASP Mobile Top 10 and other vulnerabilities.
https://www.htbridge.com/mobile/

@Moxville
Copy link

@Moxville Moxville commented Oct 27, 2017

Check websites for security and performance issues with Sonar (might come in handy)
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
https://sonarwhal.com/
https://sonarwhal.com/scanner/

Scanner throws some errors for "https://vault.bitwarden.com/"
https://sonarwhal.com/scanner/7e565752-f659-4a25-9f03-d104b4e6fa2b

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Jan 18, 2018

@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities.

@paragonie-scott
Copy link

@paragonie-scott paragonie-scott commented Jan 18, 2018

I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above.

Sorry for the confusion here.

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Jan 18, 2018

Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations.

@HelpfulRock
Copy link

@HelpfulRock HelpfulRock commented Jan 18, 2018

2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;)

i can only speak for myself but i would participate if there is a clear goal in terms of money needed.

Best regards

@mike-of-earth
Copy link

@mike-of-earth mike-of-earth commented Jan 27, 2018

I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while.

@ghost
Copy link

@ghost ghost commented Feb 10, 2018

Echoing the sentiment here. The only thing that could entice me even more is a full audit.

@paragonie-scott
Copy link

@paragonie-scott paragonie-scott commented Apr 12, 2018

I have zero interest in paying for the audit. I'd open my wallet after they pass the audit, when I would subscribe.

Paying for an audit is a tall order for any one person. Would you contribute to a crowd-fund?

@rodalpho
Copy link

@rodalpho rodalpho commented Apr 13, 2018

Heh, clever. Of course I meant I wouldn't contribute towards an audit either. Bitwarden is a commercial entity with a business model. I don't donate to for-profit businesses, I buy goods and services from them.

But that's just me, other people have said they would do so.

@eitland
Copy link

@eitland eitland commented May 23, 2018

Heh, clever. Of course I meant I wouldn't contribute towards an audit either.

I find you unreasonably negative. Bitwarden is mostly open source and I think both I and others find it useful to sometimes contribute to products that I don't use (yet).

FWIW Scott that you replied to is a professional security researcher and it seems he's already spent some unpaid time on the code.

@rodalpho
Copy link

@rodalpho rodalpho commented May 25, 2018

I would consider contributing if the project was developed and run by a non-profit foundation like Kodi and Apache. That is not the case. I don't contribute to for-profit enterprises, and am frankly amused that you think it's unreasonable.

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

@MichaelTunnell
Copy link

@MichaelTunnell MichaelTunnell commented Jun 22, 2018

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

There is a big difference between helping out a small company trying to do something incredibly beneficial for the Open Source community such as providing an easy-to-use open source password manager for the masses . . . comparing to BILLION DOLLAR corporations.

@imakiro
Copy link

@imakiro imakiro commented Jul 9, 2018

Where is the project on the audit side of things? did you get quotes? set up a crowfunding?
We want to move to bitwarden from Lastpass but need an audit to be done for the solution to be qualified as mature...

@indolering
Copy link

@indolering indolering commented Jul 10, 2018

I would consider contributing if the project was developed and run by a non-profit foundation

Can we stop responding to people who don't understand the economics of OSS software?

don't know how feasible that is, though, or if gofundme is the right platform.

I opened a ticket for BountySource integration, which would would enable collaborative funding for any GitHub ticket.

@indolering
Copy link

@indolering indolering commented Jul 10, 2018

@kspearrin The first step is to write out an informal security model. Have you done this?

@devonjohnjames
Copy link

@devonjohnjames devonjohnjames commented Jul 15, 2018

Security audits are very expensive. Crowdfunding would make perfectly sense but the question is if security audit companies allow Bitwarden to even talk about prices. I know some forbid it...

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Jul 17, 2018

We are currently in early discussions with Cure53 about completing an audit. If anyone has suggestions of other agencies, please list them and we'll consider reaching out to them as well.

@squirrelboot
Copy link

@squirrelboot squirrelboot commented Aug 1, 2018

Just throwing that out there.. I'm willing to donate to have the security audit done. It's important to me that something I rely on this much, be as secure as it can be. Thanks.

@Moxville
Copy link

@Moxville Moxville commented Aug 4, 2018

OSTIF has done audits on VeraCrypt, OpenVPN, etc.
https://ostif.org/

@sj
Copy link

@sj sj commented Aug 6, 2018

Hi guys — Sorry for being a bit late to the party! I've just added bitwarden/core to the C# beta on LGTM.com: https://lgtm.com/projects/g/bitwarden/core/alerts

The best way (IMHO) to use LGTM, is by enabling automatic code review for pull requests. Here's an example of how that works for the team at Google (+ community) for AMPHTML: ampproject/amphtml#13060, and NASA use it for their Open-MBEE project, e.g.: Open-MBEE/mdk#105. You can enable automatic code review here: https://lgtm.com/projects/g/bitwarden/core/ci/

Any questions / suggestions / comments: give me a shout! (Full disclosure: I'm part of the team that built LGTM.com 🙂)

@sj
Copy link

@sj sj commented Aug 6, 2018

Oh, and while I'm at it — here are the results for bitwarden/mobile: https://lgtm.com/projects/g/bitwarden/mobile/alerts/

@MichaelTunnell
Copy link

@MichaelTunnell MichaelTunnell commented Aug 6, 2018

I haven't heard of this service before, that is very cool. Thanks for sharing and setting this up. Hopefully this will help the audit. 👍

Note: for those who haven't heard of this and are curious what LGTM stands for as I was . . . LGTM = "Looks Good To Me"

@sj
Copy link

@sj sj commented Aug 7, 2018

You're welcome, @MichaelTunnell — glad to have you on board!

Someone pointed out @petervnv's comment in this issue (now a year ago) out to me, so it seemed worth setting this up. Let me know what you think!

Note that you can add your own open source projects to LGTM if you like. Just log in with Google or GitHub (or create an account), and go to "My Projects". If you have a large number of projects you'd like to add: just drop me a note and I'll do them all in one go.

@Moxville
Copy link

@Moxville Moxville commented Aug 9, 2018

WhiteSource
https://www.whitesourcesoftware.com/
Free tool checks for critical open source vulnerabilities

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Aug 17, 2018

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

@rodalpho
Copy link

@rodalpho rodalpho commented Aug 17, 2018

Very good news! I look forward to switching to Bitwarden once this is complete.

@Fwardalonious
Copy link

@Fwardalonious Fwardalonious commented Aug 19, 2018

Been waiting on this security audit to switch over, glad to hear it's coming soon.

@lordraiden
Copy link

@lordraiden lordraiden commented Sep 21, 2018

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

Any news on when it will be done? will the results be public?
Waiting for it, in order to propose it in my organization

@ghost
Copy link

@ghost ghost commented Oct 9, 2018

Currently waiting for the security audit to buy my premium subscription... any update? Also is there a gofundme? I love the idea of bitwarden

@indolering
Copy link

@indolering indolering commented Oct 20, 2018

Let me know if I can be of assistance, I would love to work with Cure53!

@kspearrin
Copy link
Member

@kspearrin kspearrin commented Nov 12, 2018

An audit has been completed. See here:

https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

@kspearrin kspearrin closed this Nov 12, 2018
@paragonie-scott
Copy link

@paragonie-scott paragonie-scott commented Nov 12, 2018

See #392 for follow-up regarding the solution to one of Cure53's findings.

@ghost
Copy link

@ghost ghost commented Nov 12, 2018

👏

@timemaster67
Copy link

@timemaster67 timemaster67 commented Nov 15, 2018

You can view Cure53 original report on their website from either the Publication section, or this direct link
https://cure53.de/pentest-report_bitwarden.pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet