Should i install bitwarden on my future laptop or should i use the web version?

Im debating whether i should install bitwarden on my future laptop or if i should just use the web version.i dont know which one to do so please help me out

1 Like

Bitwarden’s online terms of service are meh. (Summary)

From a privacy perspective, it probably makes more sense to use the web version as you have more control over what they can access. Additionally, if we assume that both the desktop install and the mobile app share roughly the same permissions and trackers, then sandboxing the service to a browser seems to be the best option.

If your looking for the most privacy, perhaps consider moving to Keepass.

2 Likes

Thank you friend

1 Like

I stick to the Firefox plugin. I almost never use anything else. I do have the android app on my phone. My account is locked with my Yubikey so I’d like to think its safe.

1 Like

I’d recommend sticking with the add-on. The web vault is much more vulnerable. Even though all passwords are encrypted, anyone with a valid https certificate for vault.bitwarden.com could MITM the javascript that runs in the browser and use it to leak all your decrypted password. It’s not a “vulnerability” per se but it’s certainly a lot less secure than the average app/addon delivery mechanism.

2 Likes

Thanks for making the distinction between the extension and the web app. I thought the extension was just the web app in miniature or something like that. I didn’t know it was like an install of the software that is just syncing.

I like the web version because it helps maintain security: if my computer gets compromised, the attacker doesn’t have access to my passwords. And I always use HTTPS encryption when connecting to Bitwarden online.

But if you download it on your laptop, you won’t have to log into Bitwarden everytime, this can be helpful if you lose your 2FA device, but similar functions can be achieved with the web version if click “don’t ask again on this device” while entering your 2FA code.

You shouldn’t use the web version and should use the app instead since by using the web version you put in some trust in Bitwarden servers to not serve you malicious javascript which could figure out your passwords which are protected by e2e. The Apps however store some file locally so if the malicious server were to do something nasty, it couldn’t since those checksums won’t match b/w the local and malicious packets.

I don’t know for sure, but it seems likely that Bitwarden would have enabled Certificate Authority Authorization (CAA) in their DNS records to restrict who can issue a certificate for their domains (their TLS certificate issuer is Cloudflare):