icon_cache leaks information

[mknj]

My Vaultwarden instance is used by some friends and i was surprised to find internal_server_name.miss entries of my friends employees in my icon_cache directory. There are also some other site entries that i really don't want to know about.

Would it be possible to disable the icon_cache completely or add an option to have an encrypted per user icon cache?

[RealOrangeOne]

Disabling outright would also remove another information leak, regarding a timing attack to work out whether there was a cache hit for a given domain or not.

You could set the icon cache to time very low, but that won't actually clean up the expired cache entries I believe.

[BlackDex]

@mknj i suggest to use icon redirect then instead of local cached.
See:

vaultwarden/.env.template

Lines 132 to 143 in 08f0de7

	## Icon service
	## The predefined icon services are: internal, bitwarden, duckduckgo, google.
	## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
	## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
	##
	## `internal` refers to Vaultwarden's built-in icon fetching implementation.
	## If an external service is set, an icon request to Vaultwarden will return an HTTP
	## redirect to the corresponding icon at the external service. An external service may
	## be useful if your Vaultwarden instance has no external network connectivity, or if
	## you are concerned that someone may probe your instance to try to detect whether icons
	## for certain sites have been cached.
	# ICON_SERVICE=internal

Encrypting the filename only will not work, because you can still open the file, or read metadata.
Just use the redirect option to prevent it from using the internal favicon downloader.