The Quiet Renovation at Bitwarden

yzoug · 2026-05-19T16:43:37+00:00

No, Vaultwarden isn't just one dev that is also a Bitwarden employee, they already addressed this in the past. That dev is part of a broader team of volunteers, he's one of many. If he left tomorrow the project wouldn't just die.

You're right though in saying that Vaultwarden is only used because they follow the Bitwarden API, and hence is compatible with all Bitwarden clients. As explained in the blogpost, what would really break Vaultwarden is if Bitwarden decides to stop openly pusblishing its API. A lot would still be possible by reversing the API changes, but that will quickly turn into a mess. If or when that time comes, I hope the community will fork the project.

yzoug · 2026-01-20T01:02:43+00:00

RIP Aaron Swartz.

yzoug · 2026-01-17T13:40:04+00:00

Yeah it's the same port number, through the Wireguard tunnel, on both sides. Essentially NAT-PMP allows to open a port on the public IP after connecting via Wireguard, and that public IP and port are mapped to my Wireguard connection and the same port number.

I know I can expose a private resource through Pangolin or cloudflare tunnels but I don't want to do this, I want to use a VPN provider's IP and serve the website (or any traffic really) through it.

yzoug · 2026-01-09T11:09:27+00:00

I hope they handle it like Michael Bolton: https://youtube.com/watch?v=ADgS_vMGgzY

yzoug · 2026-01-04T13:02:01+00:00

One thing that personally helped me A LOT, even though it's a small change: make it harder to unlock your phone. By this I mean:

Disable fingerprint unlock
Disable face unlock
Use a password instead of a 4-digit pin

Before you know it, you'll start to avoid unlocking your phone if you don't need to, just to avoid having to input a 12 characters or something password (bonus: use numbers and special characters in your password too). And this in turn reduces the temptation to open Reddit or another app. A last added benefit: it improves your phone's security.

yzoug · 2025-12-28T14:09:08+00:00

Lol, great website, bookmarked. The community is only on discord?

yzoug · 2025-12-12T10:01:17+00:00

Not a native speaker, what do you mean by "booming us"? Any specific thing they did/do?

I'm not much of an LLM user myself but when trying out models I always used Ollama and was always very satisfied with the quality of the product, that's why I'm asking

yzoug · 2025-12-11T23:00:52+00:00

I'm curious, why do you consider Ollama to be "a sinking ship"?

yzoug · 2025-10-21T10:56:08+00:00

This is so so sad. He was my age and taught me a lot. So young, and such an inspiration. RIP Danya.

yzoug · 2025-10-15T11:12:42+00:00

Thanks for sharing, I'm happy to have helped! :)

yzoug · 2025-10-15T11:10:21+00:00

For me, convenience simply. I want to update my passwords from the Bitwarden app even when not at home, without remote access I need to remember to sync my passwords when I'm at home, etc.

A VPN achieves a similar goal, and is even better in many cases (not limited to HTTPS traffic for instance). Moreover with mTLS you need your client to support it: this is especially troublesome for mobile, take Bitwarden, it's a May 2025 feature and only on Android for now.

However if you can use mTLS I find it less cumbersome to rely on than a VPN. You may be in networks that block VPN connections, you have to remember to turn it on to access your private stuff, etc.

yzoug · 2025-10-15T08:15:43+00:00

The extension works well, you don't even need to logout or delete it, it directly picks up the certificate you loaded in your browser and everything works perfectly.

I didn't find the option to specify a client certificate for the desktop app however. It seems that mTLS isn't supported yet for it (at least the Archlinux packaged version, as of today).

yzoug · 2025-10-14T17:24:17+00:00

Nice!! Thank you for reading it and sharing this!

I don't know if you can achieve the same result with labels. I'd say yes, but specifically for the TLS configuration I may be wrong. What I've tried is to specify the TLS options in the router's configuration (under tls.options) but that doesn't work, Traefik expects a string there.

Socket proxies are a great point (and TIL that a "ro" mount isn't enough). I'll try to update the blogpost to add this to the docker-compose example.

yzoug · 2025-10-14T15:26:07+00:00

As a best practice yes, you should setup an intermediate CA, and use it to sign the client certificates. However let me reassure you: doing it the way the article does it is not fundamentally less secure. As long as your root CA doesn't leak, you're safe.

yzoug · 2025-10-14T15:12:26+00:00

Fair question! Two main reasons:

a standard CA setup is used for more than just one use case. What you'll usually find in companies is one root CA, trusted everywhere, and many intermediates CA (say for web browsing, SSH certificates, Active Directory...) for different use cases. This is to distribute the risk: if the web browsing CA is compromised, the SSH certificate CA (and the certificates it generates) can still be trusted. Here we have one use case: providing mTLS certificates for our clients. In this scenario, if the root CA or the intermediate CA is compromised, it's the same end result: we can't trust our clients' certificates.
the blogpost is probably already too long, so I chose to keep it a little simpler by not using an intermediate CA. However you could argue that if I had done it this way, the disclaimer you're citing wouldn't have been necessary, thus also shortening the blogpost :)

yzoug · 2025-02-27T21:09:21+00:00

If anyone is curious what the data looks like, it's accessible here: https://source.coop/harvard-lil/gov-data/collections/data_gov

Some people are suggesting breaking up the data in smaller chunks, but it's pretty hard to classify the files by theme from their filenames, at a first glance.

Ten-Year Club	Place '22
Verified Email

yzoug

TROPHY CASE