Hacker News new | past | comments | ask | show | jobs | submit login

It's incredibly convenient. I sat down at a new laptop about a month ago and realized I was blanking on my bank account credentials.

Fortunately, since I use Chrome, I was able to log in and get them clouded over. Whew!




That means you were already logged into google. At that point just use Bitwarden.


I'm not familiar with Bitwarden. After a bit of Wikipedia and web search research on them, I'm not sure why I'd trust 8Bit Solutions over Google for storage of my PII. Do they have the resources to keep it secure? What is their incentive structure to do so? What happens if they get bought? Should I be concerned about past errors such as "In March 2018, Bitwarden's web vault was criticized for embedding unconstrained third-party JavaScript from BootstrapCDN, Braintree, Google, and Stripe"?

It sounds like it'd add an additional layer of complexity to my situation without an obvious up-side over my existing solution.


Bitwarden can be self hosted and there is at least one independently developed server.


Bitwarden uses end-to-end encryption. So you don't have to trust them as much as Google.


um, no? See the famous story of Hushmail [0], which used end-to-end encryption and claimed to have no access to user email until receiving a court order. Then they modified the code they send to one client to exfiltrate encryption keys to law enforcement, and decoded all the "end to end encrypted" email.

Sure, they claim they are open source and that the infrastructure was audited, but this does not prevent them from just configuring their auto-update server to serve a very special update to user at a specific IP.

[0] https://www.wired.com/2007/11/encrypted-e-mai/


> Then they modified the code they send to one client to exfiltrate encryption keys to law enforcement, and decoded all the "end to end encrypted" email

This is false. The decryption code was run on the server, which means the password was sent to the server briefly. Hushmail simply stored the password for a few accounts. No client code was modified nor any auto-update changed. In fact, if the criminals had used the Java applet, they'd likely have gotten away with it (assuming they didn't update it)

>However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

>The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.


Alright, that's fair. Guess self-hosting is the only foolproof approach for complete privacy then.


It was always like that. If your threat model is three letter agency/Mossad/etc than you have very limited options. Relevant XKCD: https://xkcd.com/538/


How is this a knock against them in comparison to Google? Does Google not comply with court orders?


Chrome also offers the option to use end-to-end encryption.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: