Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ah yes, the trust-the-developers-blindly vs patch asap vs supply chain attack risks. I wonder if we have any data on what is best.

I once had to re-do a Drupal install because it was very likely already being abused. Would have liked immediate auto-update in that case. Ah well.



Password managers and OSes are things that I do not want automatically updating at the whims of some remote/foreign party whom I have never met and is bound by a set of responsibilities and laws with which I am entirely unfamiliar. Network services open to the internet at large are a horse of a different color.

Ultimately, though, they could just ask. Most users probably want autoupdate, and they can opt in to that if they so desire. It's really a matter of consent, and forcing decisions down users' throats.

Most people probably don't understand or believe that they are granting these applications' vendors permanent remote access to their computer.

Honestly, I wish it were only a matter of trusting the developers. Unfortunately, it's a matter of trusting the developers, anyone from anywhere in the world who can compromise their keys/credentials, and anyone in meatspace who can coerce them to misuse those keys/credentials (such as military, police, et c). That, it turns out, is a rather large set of people, especially when you factor in the number of state level actors from every country big enough to have an intel agency sufficiently competent to own some small software house full of c# weenies running windows (the bitwarden devs).


And yet you are using a product at the whims of some remote/foreign party whom you have never met and is bound by a set of responsibilities and laws with which you are entirely unfamiliar.

I get where you are coming from, but you clinking "update" in stead of the dev does not guarantee the safety of the update.


This is a false dichotomy. Nobody is claiming that mindlessly clicking "update" guarantees safety.

I run a private fork of the bitwarden client, anyway. Their stock one partially trusts the iteration count of the PBKDF provided by the server, and can be tricked into sending a low-iteration hash of the master password.


It isn't universal, but browsers surely provide a good case study here. Most of them auto-update today. In the past, exploitation via bugs where patches existed but people didn't update was measurably common. Supply chain attacks against autoupdating browsers haven't really materialized.

If the goal is to prevent the most volume of exploitation, autoupdaters clearly win.


Browser vendors have teams of experienced and professional security engineers several orders of magnitude larger than the entire Bitwarden organization. They're also bound by US law.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: