• 0 Posts
  • 16 Comments
Joined 7 months ago
Cake day: October 26th, 2024
  • EmbarrassedDrum@lemmy.dbzer0.comtoPrivacy@lemmy.mlWhich password manager to use?
    0·
    3 months ago

    Let’s say I have an unupdated patch and my server is now vulnerable.

    This could really happen. I have work and life to worry about and I might not notice.

    This vulnerability, could be in the BW instance itself (say the web server or the backend itself), or in the server itself (say an old OpenSSH version), or another service (NextCloud instance hosted in the same server under a different subdomain).

    So, first we see it’s a big attack surface. In any of those entrances an attacker could gain access to my server and with it the vault. It’s a short way from there to install a keylogger on the website where BW is hosted, and get my master password ¯_(ツ)_/¯.

    Now take into consideration that I just sat a couple of minutes to think about this, and I’m not a professional in cyber security or web security. Neither blue nor red team. A professional, with more knowledge, time, experience and resources, could probably bring up much more things.

  • EmbarrassedDrum@lemmy.dbzer0.comtoPrivacy@lemmy.mlWhich password manager to use?
    0·
    3 months ago

    Bitwarden.

    My recommendation: Don’t use Vaultwarden (self hostable server side of bitwarden. Really easy to run and use). Why? You’re not a security personal, and securing your vault isn’t your job. You might do a slight mistake that’ll lead to the compromise of your vault.

    The people at Bitwarden have their work dedicated to securing the vaults and all they do is security. And they’ll probably do it better then you. When it comes to serious matter, I prefer to trust the professionals.

  • EmbarrassedDrum@lemmy.dbzer0.comtoSelfhosted@lemmy.worldDitching the VPN and port forwarding the selfhosted wayEnglish
    0·
    6 months ago

    tl;dr: classic convenience/privacy. depends on your threat model. surely better than Google. models of zero trust will help.

    That’s a great question, that I have asked myself before too. It doesn’t have one answer, and any one would make their own choices based on their own respective threat model. I’ll answer you with some of my thoughts, and why I do use their services.

    I’ll take as an example my usage of NextCloud, coming as a replacement to Google Drive for example.

    let’s break up the setups:

    1. client (mobile app, desktop client, browser)
    2. communication to server
    3. server

    It’s oversimplified, but to the point: In Google’s setup, you have control of 0 out of three things.

    1. you use their closed source client, 2. they decide the communication to the server (if there’s any CDN, where their servers located, TLS version), and 3. data is on their servers, wether encrypted or not is up to them.

    In NextCloud’s setup,

    1. The clients are open source (you can varify them, or build your own),
    2. communication to server is up to you. and in this case you trust your data with CF, that’s right. gonna have to trust them.
    3. server is your server, and you encrypt the files how you want.

    From just this look, NC is clearly better off. now, it’s not perfect, and each one will do their own convenience vs privacy deal and decide their deal.

    If you deploy some sort of e2ee, the severity level of CF drops even more, because they’re exposed to less data. specifically for NC they do do e2ee, but each solution to its own. https://nextcloud.com/encryption/ this goes as an example for zero trust model. if you handle the encryption yourself (like using an e2ee service), you don’t have to trust the medium your data is going through. like the open internet.