What are the Pros and Cons with regards to adding a browser add-on like Bitwarden?
I find it very useful to have stored passwords in a password manager like this, as it greatly reduces the risk of me getting phished. My credentials are only stored for the official URL.
It also helps to ensure that I have strong, unique, passwords for every site.
On the other hand, there’s the browser fingerprinting.
What’s the pragmatic approach here?
Hi LakeMonster
Using Non-default Add-ons in Tor Browser is strongly recommend against.
The Tor Project explicitly warns against using non-default add-ons with Tor Browser:
However, the only add-ons that have been tested for use with Tor Browser are those included by default. Installing any other browser add-ons may break functionality in Tor Browser or cause more serious problems that affect your privacy and security. It is strongly discouraged to install additional add-ons, and the Tor Project will not offer support for these configurations.
https://whonix.org/wiki/Tor_Browser#Unsafe_Tor_Browser_Habits
https://whonix.orgwiki/Tor_Browser#Non-default_Add-ons
Recommend: Find a open-source password manager that stores passwords locally
Related:
https://forums.whonix.org/t/add-password-manager-by-default/189
Well, thanks, but this hasn’t answered any of my questions. I was already aware that installing add-ons is highly discouraged. But, aside from “browser fingerprinting”, there’s never any intelligent reason why not to.
Sure, if you install all kinds of social media add-ons you are risking de-anonymizing yourself. But I was asking about Bitwarden specifically.
Is there any REAL WORLD evidence that this is actually a bad practice. Or is it simply an issue of browser fingerprinting?
And if it’s only browser fingerprinting, how easy is it to detect such an add-on?
Yes, I’m aware that I can use KeePassXC. That doesn’t address any of my issues though, and it doesn’t help with the reasons I use Bitwarden in the first place.
Are there any technical reasons that I shouldn’t use a password manager like Bitwarden, aside from “Tor Project says not to because it could be bad maybe but we aren’t sure and can’t give any specifics but don’t do it because reasons”
EDIT: This seems useful: Browser Plugins - Whonix
The concern against browser plugins can be broken down to:
- Non-Free Software.
Bitwarden is FOSS.
- Linkability: browser plugins use can be probably correlated to the same pseudonym.
I have a unique workstation for each pseudonym. Nothing to be correlated.
- Fingerprinting: browser plugins can probably leak lots of information about your (virtual) operating system (Whonix-Workstation)
OK. I was under the impression that it was not difficult to determine my OS (Qubes-Whonix) anyway. Exposing myself to targeted attacks is an issue, but a minor one, until there are known exploits against Qubes-Whonix?
- Security: some plugins have a history for remote exploits. More precise: the risk for your virtual operating system to get infected by trojan horses etc. is higher.
Bitwarden is FOSS. I don’t think the risk level is very high.
Now, all that being said. . . is there any real reason why I shouldn’t use Bitwarden?
(I will check browser fingerprinting sites to see how unique it makes me. I’m not sure how serious of an issue this is, unless I am extremely unique. But as BitWarden advertises itself as TorBrowser compatible, I can’t imagine that it’s super-unique if I use it.
Still interested in more input though.
It’s a bad idea to make oneself pseudonymous rather than anonymous.
An add-on is not a plugin but as far as what you quoted it’s quite related indeed.
These tests are far to underdeveloped to catch each possible tracking issue. References are linked from here:
Browser Tests - Whonix
All browsing of that one VM possibly correlated to the same pseudonym. All VMs using that add-on possibly correlated to the same pseudonym (or at very least very strong anonymity set reduction).
Unfortunately anonymity is not possible for my purposes. So I have various Pseudonyms isolated to their own workstations. For me, this is unavoidable.
I happen to agree with Kammerer’s assessment of browser fingerprinting. I am already pseudonomynous, that is the very best I can hope to achieve based on my use case.
Are you saying that software installed in one TemplateM can be used to correlate all TemplateBasedVMs?
In this case, I don’t think that would apply. Bitwarden is not installed locally using a package manager. It’s just the browser XPI, if I’m not mistaken. This is installed in each VM, on a case-by-case basis, but should have no code being shared between instances if I understand correctly.
If you mean something else, then I beg your pardon.
Each bitwardn instance has it’s own login, it’s own set of login credentials. There’s nothing being shared whatsoever, as far as I can tell.
There have been many supports requests in the past with users reporting unexpected/unwanted behavior while using Whonix. While some are due to bugs, miss-configured applictions etc. There are many that are due to users not following Whonix/Tor guidelines aka “Do Nots”, best practices etc. And many of the issues reported seriously degraded anonymity.
While it is know that using non-default add-ons degrades anonymity due to fingerprinting. The real problem has to do with the possibility that Bitwarden will break Tor Browser functionality. This could be very serious problem and chances are you will not even notice that there is a problem. I this worth taking the risk??
Absence of evidence is not evidence of absence
Compatible how?
Conclusion:
Whonix and Tor are not perfect solutions to keep users anonymous. While they are important, anonymity also is dependent on user behavior such as following best practices. Not “just” because a Tor dev said so. Because its the right thing to do. There are to many unknowns with Bitwarden and unknowns can be very dangerous.
anonymity vs features
which is more important?
If anyone comes up with an actual use case where Bitwrden “break tor browser”, I’d love to hear it.
Absence of evidence is not evidence of absence.
In some circumstances it can be safely assumed that if a certain event had occurred, evidence of it could be discovered by qualified investigators. In such circumstances it is perfectly reasonable to take the absence of proof of its occurrence as positive proof of its non-occurrence. — Copi, Introduction to Logic (1953), p. 95
TMYK
Hello @LakeMonster,
It isn’t really fair to expect a specific reason to not use BitWarden. Add-ons create variations in browser behavior, and there are thousands available. Testing an add-on’s effects are impossible unless developers stay focused on the core software components. This, in a nutshell, is why Tor recommends not installing any add-ons and also Tor’s theory behind fingerprinting. I’d like to avoid debating fingerprinting with you, so…
Your issue is not only fingerprinting. What about possible data leaks, misbehaving code? Browsers are a huge vector of attack from both external and internal sources, such as add-ons. You should probably keep your sensitive data away from an attacker’s most viable targets.
Maybe you should use a password manager (like @0brand recommended) on the host or in a separate VM and pass it through via clipboard-sharing? (KeePass is good.)
Good day.
If we forget supposition and deal with facts (my emphasis):
Academics suggest that around 33 bits of information is required to positively identify one person out of several billion!
For anonymity, it is necessary to reduce the number of bits of information (entropy) the browser provides to an acceptable lower bound; for instance, 18.1 bits of entropy means that a browser chosen at random will share the fingerprint with one in 286,777 other browsers. Browser uniqueness research has revealed the entropy associated with various pieces of browser information:
Variable Entropy (bits)
Plugins 15.4
Fonts 13.9
User agent 10.0
HTTP accept 6.09
Screen resolution 4.83
Time zone 3.04
Supercookies 2.12
Cookies enabled 0.353
&
The EFF has found that while most browsers are uniquely fingerprintable, resistance is afforded via four methods:
- Disabling JavaScript with tools like NoScript.
- Use of Torbutton, which is bundled with Tor Browser and enabled by default.
- Use of mobile devices like Android and iPhone.
- Corporate desktop machines which are clones of one another.
With JavaScript disabled, Tor Browser provides significant resistance to browser fingerprinting:
- The User Agent is uniform for all Torbutton users.
- Plugins are blocked.
- The screen resolution is rounded down to 50 pixel multiples.
- The timezone is set to GMT.
- DOM Storage is cleared and disabled.
At the time of writing, Panopticlick only returns 6.63 bits of information for Tor Browser with JavaScript disabled. This is equivalent to sharing the same fingerprint as 1 in 99 other browsers due to the 2 million strong pool of near-identical users.
Conclusion:
To an advanced network adversary, you’re probably the only one running this add-on with Tor Browser. So, rather than just being similar to 1 in 1/4 million other users (assuming add-ons have similar # of bits to plug-ins), you probably just became utterly unique.
Network observers would simply track the unique signature everywhere you go:
There goes Bitwarden Bob again! Go Bobby! Fly like the wind my son!
Simply a horrible idea. Use a proper program like KeePassX and copy and paste the password as required. In Qubes-Whonix, keep the master password file in an offline AppVM i.e. “none” set for networking.
LMAO! I just sprayed coffee all over my monitor Thanks! I really needed a good laugh 
10 minutes later… still
20 minutes later… still cleaning
Yes I know, drinking beverages while Whonixing is recommended against. 
I assume you both meant KeePassXC, which is far superior to the above. I already use this. I need a isolated database for each pseudonym, so I can’t have just one offline database. I would need 4 or 5. So I just keep them in the isolated Whonix Workstations, and have a single database which I backup all the other databases into. Although this doesn’t help prevent my passwords from being stored in an online machine.
It would be too easy to accidentally cross contaminate pseudonyms if I was constantly using the secure clipboard to transfer passwords from the vaults to the VMs.
But that is not the primary purpose of Bitwarden for me anyway. Like I said above, it is hugely beneficial in preventing phishing attacks. I am regularly targeted with spear phishing attempts, so the benefit of having bitwarden only put my password into pages with matching URLs cannot be overstated.
eh?
My results are the same with or without BitWarden enabled.
No fingerprinting sites that I can test my browser with seem to detect my addons.
Are you saying that although no sites are giving scores based on browser addons, a state level adversary would be able to identify me?
Or did you perhaps confuse Add-On with PlugIn, as I did?
Can we not derail threads with cringey attention whoring? Thanks.
I wouldn’t trust a link someone sends me in an email etc…
There are different methods to verify a website. Try searching for the site yourself or you can check the sites fingerprint with this tool.
https://www.grc.com/fingerprints.htm
I wouldn’t use it by itself though. Use in conjunction with other methods
Don’t take it personal 
Quite possible since these browser test websites are very underdeveloped.
Not in Jessie or Stretch (Buster?).
firefox - Exact difference between add-ons, plugins and extensions - Stack Overflow
No
Yes. Tor devs are very clear (my emphasis):
The Design and Implementation of the Tor Browser [DRAFT]
Users are free to install these addons if they wish, but doing so is not recommended, as it will alter the browser request fingerprint.
Note also that to ensure proxy obedience:
Disabling system extensions and clearing the addon whitelist
Firefox addons can perform arbitrary activity on your computer, including bypassing Tor. It is for this reason we disable the addon whitelist (xpinstall.whitelist.add), so that users are prompted before installing addons regardless of the source. We also exclude system-level addons from the browser through the use of extensions.enabledScopes and extensions.autoDisableScopes. Furthermore, we set extensions.systemAddon.update.url and extensions.hotfix.id to an empty string in order to avoid the risk of getting extensions installed by Mozilla into Tor Browser, and remove unused system extensions with a Firefox patch.
In order to make it harder for users to accidentally install extensions which Mozilla presents to them on the about:addons page, we hide the Get Addons option on it by setting extensions.getAddons.showPane to false.
It is clearly a fingerprinting issue:
End-user Configuration Details
End-user configuration details are by far the most severe threat to fingerprinting, as they will quickly provide enough information to uniquely identify a user. We believe it is essential to avoid exposing platform configuration details to website content at all costs. We also discourage excessive fine-grained customization of Tor Browser by minimizing and aggregating user-facing privacy and security options, as well as by discouraging the use of additional plugins and addons. When it is necessary to expose configuration details in the course of providing functionality, we strive to do so only on a per-site basis via site permissions, to avoid linkability.
Conclusion:
Even if you avoid JavaScript to minimise fingerprinting vectors, you will end up using it selectively on those “special sites” you want to use the password manager add-on.
The effect will be the above fingerprinting occuring on “Hidden Special Sauce Website #1, #2, #3…”, where again, you’re probably the only person running Tor Browser with this feature detected by the server at that time.
You’d be toast with the obvious fingerprint. Best to defer to the Tor devs informed opinion, than be punished later on.
I’m talking about Hidden Services, specifically V3. Very easily to mistakenly click on a link that looks like the link you want to go to, and then provide your credentials.
I don’t mean to be difficult, but is anyone aware of any specific technique that could determine that I am using BitWarden or any other add-on for that matter?
If you’re looking for official repos.
Alternatively, you can use unofficial repo for Jessie/Stretch, or the AppImage
U and Me
And perhaps also the same state-level adversary that I don’t trust to begin with.
An addon could bypass Whonix Gateway’s Tor Routing?
BitWarden doesn’t require any special JS features? I never enable JS for any reason. No sites that I use would ever require such a thing from their users.
I appreciate everyone’s input here.
No, unless you go deep down the research of browser fingerprinting. If “working exploit” is your requirement of proof, I cannot provide it. This is a only a logical argument. There are certain assumptions.
Therefore the conclusion and recommendation is to avoid using add-ons. And the common mindset is to prioritize caution over usability and risk.
Actually, yes my view was too strong.
Based on resources like:
1. The Tor Design document
The Design and Implementation of the Tor Browser [DRAFT]
2. Fingerprinting methodologies in use e.g.
The site you are visiting may choose to analyze your browser using JavaScript, Flash and other methods (just like Panopticlick does). It may look for what types of fonts you have installed, the language you’ve set, the add-ons you’ve installed, and other factors. The site may then create a type of profile of you, tied to this pattern of characteristics associated with your browser, rather than tied to a specific tracking cookie.
(e.g. one way is related to website page changes e.g. ability to identify adblockers and so on)
3. Mozilla Fingerprinting Info page
https://wiki.mozilla.org/Fingerprinting
JS behavioral tests
Can be used to gather information about whether certain addons are installed, exact browser version, etc. Probably nothing we can do here.
etc etc.
Probably fairer to say, lesser adversaries can reveal the presence of specific addons, due to their impact on web page content, such as NoScript and ad-blocker.
Presumably JS enabled will enable the detection of specific add-ons that change web pages or web requests in other ways.
The impact of “passive” addons in aiding detectibility is less clear. I do note that JavaScript has been used for more than a decade to reveal the presence of certain other add-ons (can’t find link at present)
Plus, addons are generally horribly exploitable e.g.
NoScript and other popular Firefox add-ons open millions to new attack | Ars Technica
I image advanced adversaries can discover all kinds of things we are yet to discover about the browser configuration, but admittedly speculation.
It is unclear what the impact of Bitwarden actually is, since it has permission to access data for all websites, which means in practice:
Permission request messages for Firefox extensions | Firefox Help
The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.
Extensions requesting this permission might:
- Read product and price information from a page to help find you the best price on items you’re shopping for
- Offer a password manager that reads and writes details of your username and password
- Provide an ad blocker by reading the content of each web page you open to find and remove ad code
Anyway, I don’t think it really matters. Based on advanced fingerprinting of video card capabilities, plus audio fingerprinting that is becoming more common, the real threat is JavaScript, since essentially everyone’s machine is unique with sufficiently advanced tests meaning it can’t be enabled for proper anonymity.
This is not an issue of usability. It is a question of caution in one way vs caution in another. If I protect my right, I expose my left, if I protect my left, I expose my right.
If I don’t use bookmarks or password manager, then I am susceptible (more so) to spear phishing attempts. Links left on forums, or sent in PMs, trying to direct me to the fake websites where my pseudonyms are well known. This is why the pseudonym issue does not effect me. I have a well known identity (pseudonym) already established. And as a part of this, I have people who will try to steal my credentials, and gain access to my cryptocurrencies, and personal information.
So, it needs to be easy and convenient for me to confirm I am on the proper hidden service. BitWarden is one way to accomplis this.
It is convenient and usable, but I before Bitwarden I was quite comfortable using KeePassXC, which can store URLs and launch TorBrowser, along with storing the credentials for all the sites I visit. As well as crypto seeds and private keys and such.
That system is still in place anyway. But it is not convenient or practical to open KeePassXC every time I want to confirm a url.
BitWarden kills many birds with one stone, which is why I am so carefully trying to determine if it is an excessive risk or not.
I am not talking about anything fly-by-night, I am talking about a very popular open source project. Just to be clear.
Thank you all for all of your input, This has all been very enlightening. Intuitively, I could not really see what harm BitWarden was doing. It doesn’t really do anything besides detect password fields and will auto-type your password and username for you. I couldn’t really imagine how this could be harmful, so long as there wasn’t some header or something I was missing that is screaming “BITWARDEN IN USE”.
I obviously couldn’t be sure, but as I said, the risk it is protecting me from is substantial. There are a LOT of phishermen out there trying to get access to crytocurrency accounts.
It is quite common to see fake links to XMR.to’s hidden service, trying to get you to send the fake site your Monero. An error like this could be catastrophic.
Once again, thank you all, and I highly recommend you give Bitwarden a try. It is a very nice replacement for things like LastPass. It can be run locally with no need for remote servers. Has very good open source encryption, etc etc
Otherwise, I recommend you use KeePassXC over the other variants. Very active open source community.
Javascript is enabled by default on Tor Browser. Disabling already places you in a smaller group.
But, I think all the discussion about “No Javascript” is highly theoretic.
How did you post on this forum with Javasctipt disabled?
Today Javascript is used to fingerprint aspects as subtle as users’ mouse movement habits. I think the safe assumption in the real world is that you ARE fingerprinted. Now, conduct all your actions with that in mind.
I don’t understand however what is the main problem you try to solve. Unless you continuously access new sites you can save the links, either as bookmarks or in a simple text / html file. Services such as shapeshift don’t change their url from one day to the next.
I meant:
When I am using the pseudonym(s) that require the security and anonymity, I have JS disabled at all times. The places where I use that pseudonym would not code in JS.
This pseudonym is of no consequence. It is just for information seeking.