LuisMayo
commented
3 years ago ~~I completely agree. May we use Extended TLD + 1 like other security products, like Let's Encrypt, do? It'd be safer~~ Nothing to do with the issue in general
Closed srd424 closed 3 years ago
LuisMayo
commented
3 years ago ~~I completely agree. May we use Extended TLD + 1 like other security products, like Let's Encrypt, do? It'd be safer~~ Nothing to do with the issue in general
srd424
commented
3 years ago Hmm, not sure what you mean by extended TLD, but the issue really is subdomains that are under control of the organization in question, but have been left pointing at an external server/services which is then discontinued. So not sure that anything other than an exact match is secure. But as I say, it's a trade off - make life too difficult for the user and they'll probably switch to an even less secure pattern of behaviour. Maybe an explanatory dialog when autofill is enabled, forcing user to make an explicit choice of match detection setting?
LuisMayo
commented
3 years ago I was thinking about something else, nothing related to this issue
Sorry :(
clayadams5226
commented
3 years ago We use GitHub issues as a place to track bugs and other development related issues. The Bitwarden Community Forums has a section for submitting, voting for, and discussing product feature requests like this one.
Please sign up on our forums and search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked.
This issue will now be closed. Thanks!
Something to think about rather than a direct bug, but I've just been reading about subdomain takeovers:
https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
That Links to this tweet that suggests Lastpass autofilling with a similar algo is a security risk:
https://twitter.com/albinowax/status/1011623832766111744
I appreciate autofill is off by default, and that changing the default match type away from 'base' may impact user experience .. which may in fact lead to people copy & pasting and therefore being /more/ easily phished .. but it would be good to see some discussion of this (I didn't see any duplicate issues - apologies if I've missed it.)