philomathic_life
philomathic_life
I assumed TLS enforcement was not desired; however I'll remark nonetheless. Rocket is TLS capable, so a reverse proxy could still be used. Second, binding Vaultwarden to the loopback interface...
I don't have enough data to make assertions like "most projects, even if it is something secure or not do not enforce TLS on the container side", so I won't...
I would indeed force TLS; in fact that is what I am doing on my WIP Bitwarden-compatible server. How one communicates with the HTTPS server/Rocket/Vaultwarden would be considered out of...
> @zacknewman Correct me if I am wrong, but from my understanding RFC 6749 does not require that TLS termination happens on the entity serving authorization tokens. I believe Vaultwarden...
> 1. vaultwarden terminates TLS in rust and uses that to talk to the client. This clearly fits the definition. Agreed. > 2. vaultwarden terminates TLS in rust, but there's...
@eoprede, I think you've done enough to show there exists real-world setups that are "secure"; but I still fail to see how requiring TLS on Vaultwarden's side precludes such setups....
> It doesn't, but it unnecessarily complicates things IMO. As stated, I don't find that it does. This is a subjective argument that likely won't get resolved. What you find...
> Let's agree to disagree on this topic. I've said that many times already. > In regards to HTTP2/HTTP3 that is not something currently supported by Rocket (at least not...
> But as we already know, you are not going to do this. I don't appreciate that line, and so I feel the need to defend myself. As a security...
> It's not a same or blame or anything. But you do have a strong feeling about this topic, and while I agree it should be as secure as possible,...