• 0 Posts
  • 99 Comments
Joined 1 year ago
cake
Cake day: December 29th, 2023

help-circle




  • which endpoint are you referring to?

    there are passwords exchanged when using the vault management API, but AFAIK that’s for local access (eg CLI talking to the app)

    i’m no expert on the specifics of the API; just in the description they give: https://bitwarden.com/help/what-encryption-is-used/

    Bitwarden always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. Bitwarden servers are only used for storing encrypted data.

    PBKDF2 SHA-256 is used to derive the encryption key from your master password

    this is exactly the way this should be done. any deviation from this formula by a password manager with a server component should be viewed with extreme scepticism


  • When you login to the Vaultwarden web application it’s going to exchange your passphrase for a private key.

    bitwarden is end to end encrypted: your decryption keys never leave your device, and the server certainly never sees them

    you must always be able to trust your network

    this would be a horrible password manager. this is also not how bitwarden works

    you do still need to trust your server if you use the web interface, because any web interface can serve malicious components to exfiltrate whatever they like but native apps, assuming they’re verified appropriately, could communicate over HTTP and still not allow anyone actively monitoring your network to see any data that would be particularly useful




  • i doubt it’d be for that: if it’s a malicious link, they can just remove the post/link from their platform and the same effect is achieved

    best case scenario it’s planning for when atproto has more PDSes, front-ends, etc: in that case, a central place where all platform links go so that you can set your “home” server so that all links into atproto redirect to your home server

    worst case it’s for tracking click through for advertising



  • you’re right that this is likely to be used for tracking crap, but i wouldn’t write off the concept as only for that

    for example, home assistant has https://my.home-assistant.io/ where you can set your home assistant URL and doc links (etc) link there, and then that site in turn automatically redirects to the correct place on your local home assistant

    this could be used similarly by the fediverse: imagine my.join-lemmy.org where lemmy instances you’re not logged into redirected you to, which then in turn redirects to your home instance… that way, links across the web to lemmy would automatically redirect to your home instance

    perhaps it’s not something that’s worth the trade off - centralising in some ways - but in federated platforms on the web it’s far from a write-off









  • I’m sure Fedora is full of binary blobs and not-so-free software

    fedora is staunchly opposed to non-free software in their default distro … that spat a few weeks ago with OBS was related to that AFAIK

    unsure about like signed blobs for “security” services but i imagine they’d be very limited, and optional

    rather than sticking a white label on Fedora and call it something else

    but for what benefit? no matter what’s trying to be achieved, starting with a very full-featured, robust OS that’s widely used is going to serve you very well… not just technically (less work for the same outcome), but for human reasons

    there are loads of guides out there for how to fix fedora issues, few for guix… loads of RPMs that are compatible with fedora, and i can only imagine fewer packages for guix

    and then if you’re talking about server OSes - and actually workstations too - managing them with tools like ansible etc… fedora is going to have off the shelf solutions

    just Fedora with different theme

    well, the actual software and configuration i’d argue aren’t the important part - owning the infrastructure is the important part… package mirrors, distribution methods (eg a website), being able to veto or replace certain packages, and the branding (or regulation) that draws people to it… being able to roll out a security patch to every installation without a 3rd party okaying it, for example


  • i’d say if it happens it should start with focusing on:

    • government and workstation (this is important first to have control and independence over so that government isn’t beholden to the whims of foreign companies)
    • then server (maybe - idk really if that’s worth it though; it’s a whole can of compatibility worms and adoption expense)
    • then user desktop

    though there is the argument that workstation and user desktop are close enough to each other that user desktop should be above server, but i’d imagine it’d be more of a “home user” than gamer situation. i could imagine some regulations around refurbishing old tech with this kind of OS too, and this would be more about low spec machines (that’d help workstations too)