Hell, unless you have a teenager downloading warez or freeware, viruses and keyloggers are not a real issue.Īnd unless you have millions of dollars and have come to the attention of the Russian mafia or the Plagiarist Republic of China, no one is going to invest the effort to decrypt your vault. They also own software updates and firewall rules.įor most of us, decryption of the vault is not a significant threat. Azure manages hardware failover at all levels (computer, persistent storage, networking, intrusion monitoring). The point is, Microsoft has better physical security than your house. I lose my phone, laptop, and/or home server (as well as everything up to and including the clothes on my back) to natural disaster (house fire, flood, earthquake).I do live in Portland, after all. Opportunistic thieves have access to my hardware. I lose my phone, laptop, and/or home server. I think my threat profile is like most people, and self hosting is a detriment: ![]() Sources for all of this: my ass, frankly. Lastly, subjectively, don't go around on Twitter announcing your domain and challenging others to have a go at it.Īll in all, I concede that from a technical perspective, selfhosting might be dangerous and stupid. The cost of trying beyond the very basics might simply be too high. For any attacker, even if they find your instance, it's entirely opaque what's inside. I'd argue it's so strong (TOTP and better, not text message), only programmer error, aka exploitation of actual application bugs/vulnerabilities will best it.īut there's always a cost associated to anything. Use strong passwords and 2FA where possible and adequate. Keep shit patched.įor 2, change away from default credentials everywhere. Also easy to fix.ġ and 3 are somewhat related. ![]() Very easy to circumvent and do better at. That's just a risk of life and anyone is susceptibleĭefault credentials, or no credentials at all, the classic. Should they start to bot it, rate limiting and fail2ban kicks them out almost immediately (which needs to be set up, this is probably alongside OPs point!).įrom what I see, hacks/leaks mainly fall into three categories: Should a human reach the site, they'll give up after "admin:admin" credentials failed, or the /admin endpoint is disabled altogether. There's billions of sites and a human will never stumble over the correct one (I realize this is contentious security through obscurity). There's no well-known people can just start attacking. Average Joes have no surface area/exposure to speak of. Those fail at the reverse proxy, not even reaching the instance. I selfhost Bitwarden and think about the security implications quite a bit.Ĭall me naive but realistically, you'll only ever be hit by the stupidest botting attempts. Please stop leading the lemmings off the cliff. Please stop recommending self-hosting as a security feature. To state or imply otherwise is misleading at best and a patent lie at worst. That should be the default advice on this sub. The fact remains that for the greatest majority of people coming here, using the official BW service hosted by Microsoft remains the most secure way to use Bitwarden. Do you honestly think that these people are knowledgeable enough to set up their own BW service securely? Are they knowledgeable enough to evaluate the original team, their product, its source, and its security to evaluate a completely different team, with a different source to set up a secure server and host a service without succumbing to all the pitfalls of novice self-hosting and to do it better than the guys at Azure? Most self-hosting posts today are chock-full of comments asking how to register a domain or set up dynamic DNS, or asking what is Docker. Maybe.įor most people visiting this sub today that is patently untrue! If they are experts in the field, maybe they can make it even more secure. Maybe in their hands, a self-hosted instance of BW can come close to the security provided by the official service. But none of that is a security feature.īW started as a tool for enthusiasts, people who probably can review and compile source code, set up a server, and run services securely - seasoned r/selfhosted and r/HomeServer folks. You can play around, learn some things, and get control of your own data. ![]() The fact that they both made it easy to install and run the service with Docker etc., and that there are a lot of guides on how to set the whole thing up is super awesome. The fact that Dani Garcia ported the code and allowed you to host BW_rs on a low-power device like a Pi or a small VPS is even more awesome. The fact that BW is open-source allowing the ability to self-host is a very awesome and unique feature. Please stop advertising the ability to self-host BW as a security feature - it's very misleading.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |