• 0 Posts
  • 33 Comments
Joined 1 year ago
cake
Cake day: June 30th, 2023

help-circle



  • KeePassXC you would put the sync-file itself into syncthing or something, and then KPXC would resolve changes between the sync file back to the main vault. I don’t use this method directly so I might be incorrect on the details, but it is possible to setup in a device to device manner.

    You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices. It does not use cloud hosting or servers. It has the equivalent of a 90s FPS matchmaking lobby, so you can find your own devices latest IP.

    You register the devices with each other with their generated ID codes. Then you ask the matchmaking server when it last saw that alias. It gives you the last IP that checked in with that unique alias. It then contacts that OP, and performs a handshake. If it passes, your two devices can now sync directly. The matchmaking relay has 0 data of yours, and 0 ability to associate your unique ID with a name, hardware, or anything other than a last seen IP. When on the same LAN, devices don’t even query the matchmaking relay if you don’t want. It’s totally offline.

    If you elect to, you can allow relays to let you tunnel of you have NAT issues, and your end to end encrypted data can be synced through a relay. In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM. If this makes you paranoid, you can easily add a password to the sync folder itself, encrypting it unless another user inputs the password on the other end. Adding another layer if you wanted.

    I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily. Syncthing works for tons of devices and other purposes as well, preventing to host a password sharing only tool, and just letting you use a direvy device to device sync tool. I don’t know how or why you would have vault conflicts, but it really does sound like something fixable. Running this for years and I’ve never run into it.


  • This is one of the rare cases where I believe security through obscurity applies.

    What is the most ripe attack target: the password hosting service with millions of user credentials, or literally some random IP address using syncthing that could be sending literally anything that you don’t know is passwords or porn.

    Companies like Bitwarden and 1Password and LastPass are doomed to have failures, just like any major corporation. They are too big with too much attack surface, and clearly advertise that they have stuff worth stealing.

    Me? My KeePass vault is synced via Syncthing with no relay data, so it only ever exists on my phone and desktop, and is encrypted with what is today functionally unbreakable encryption. Today at least (RIP when quantum chips get good).

    And my data is a blade of grass in a field. Sure there is a narrow chance someone snooping on my entire geographic area and stealing packets like the FBI could grab some packets in transmission. But they show nothing, and mean nothing. And the FBI has easier ways to get our data anyways.

    Point is, I’d rather take my odds as a heavily encrypted file syncs between singular devices like a drop of water in the ocean, versus putting all my diamonds in Joe’s Diamond Emporium and just hoping no one decides to steal MY diamonds when it (inevitably) gets robbed.


  • In this circumstance, you can turn on simple versioning for the password vault. It will keep both vault copies and you can merge your changes together manually in the event this happens, no loss of data.

    For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate. Not saying it doesn’t happen, but I believe this can be solved.

    However KeePassXC’s sync feature does sync the vault.

    Syncthing does not have a server. The relay only serves to match your current client (device A) with the IP of your other client (device B). Nothing else passes through it unless you opt into using relaying in case you have NAT issues.

    If you are paranoid, the software is open source and you can host your own relays privately, but again, it is similar to a matchmaking service, not data transfer.

    Syncthing is a direct device to device transfer. No server in the middle unless you want it.

    https://docs.syncthing.net/users/relaying.html


  • This still requires a server setup, focused entirely on passwords. Why do that?

    Why not just use KeePass or KeePassXC, and use Syncthing for this and general files, or KeePassXC’s keeshare sync to sync the files without any hosting, server, or other services.

    Extremely simplified tldr: both of these are like a authenticated private bittorrent, where the “tracker” only helps you find yourself on another devices, no data is ever sent outside of your authenticaed devices, and all transmissions are encrypted as well.




  • “Moving the goal posts” I fail to see how I’m changing the conditions. I’m explaining a clear and obvious issue in that image which is why it’s not a good comparison.

    Okay, extensions require container processes, for each one. Each new extension add to the RAM usage. For both Firefox and Chrome.

    So already the comparison is flawed because Firefox now requires more base memory to load those extensions out the gate.

    But now, Firefox is clearly showing Tampermonkey in the toolbar, a userscript extension. Let’s just say I run a script that fetches competing price info from temu.com when you browse a site like amazon. Not uncommon.

    Let’s say I set that to loop, so it’ll work on infinite scroll pages too.

    Okay, now if you leave your browser alone for an hour and it’s refreshing these scripts, guess what happens to the memory?

    Every test of current builds of FF vs Chrome has found extremely negligible performance differences when both are stock installs.









  • Make the children internet token based for kids, use a yubikey or something (no password to learn), and leave the regular internet as is. Make ISPs provide families with kids access to both, either via subnet or dedicated hardware.

    From there just have policy to not give the unrestricted network access to kids. Aka parenting. Public institutions like libraries can have most open terminals on the “safenet” and limited public access to the unfiltered net.

    For a “poor man’s version” of this concept, you could do a pi-hole sub-network for home use, but the internet elsewhere is still the internet.

    That’s one possible idea anyways, and a damn sight better than porn credits.