ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    KeePass dev refuses to patch security hole in favor of ad revenue

    News
    keepass security vulnerability password managers lastpass
    13
    29
    5.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • thwrT
      thwr
      last edited by

      Seriously, are we talking about the same KeePass2? Never saw an advertisement in the application. Or is it something in the background, like usage tracking?

      1 Reply Last reply Reply Quote 1
      • thwrT
        thwr
        last edited by

        Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @thwr
          last edited by

          @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

          Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

          As someone contemplating switching to it though, I no longer wish to.

          thwrT 1 Reply Last reply Reply Quote 1
          • thwrT
            thwr @JaredBusch
            last edited by

            @JaredBusch said in KeePass dev refuses to patch security hole in favor of ad revenue:

            @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

            Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

            As someone contemplating switching to it though, I no longer wish to.

            Wouldn't do it either in this case, but there should be no real risk for existing users as long as you don't use the auto updater.

            Anyway, please report back when you found something, FOSS preferred.

            1 Reply Last reply Reply Quote 0
            • thwrT
              thwr
              last edited by

              Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @thwr
                last edited by

                @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

                J 1 Reply Last reply Reply Quote 0
                • J
                  Jason Banned @Dashrender
                  last edited by

                  @Dashrender said in KeePass dev refuses to patch security hole in favor of ad revenue:

                  @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                  Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                  This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

                  Less of an issue on mobile devices the respective app stores handle it and it's much more secure

                  DashrenderD 1 Reply Last reply Reply Quote 2
                  • DashrenderD
                    Dashrender @Jason
                    last edited by

                    @Jason said in KeePass dev refuses to patch security hole in favor of ad revenue:

                    @Dashrender said in KeePass dev refuses to patch security hole in favor of ad revenue:

                    @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                    Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                    This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

                    Less of an issue on mobile devices the respective app stores handle it and it's much more secure

                    Good point.

                    1 Reply Last reply Reply Quote 0
                    • aaron-closed accountA
                      aaron-closed account Banned
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        I think KeePass with Chocolatey would bypass the insecure updater.

                        gjacobseG 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          What about this one...

                          https://www.keepassx.org/

                          1 Reply Last reply Reply Quote 0
                          • C
                            Carnival Boy
                            last edited by

                            How does the HTTP update check create ad revenue? I haven't seen that explained.

                            The program won't update itself, you have to manually go to sourceforge.net and the developer's point that digital signatures are more secure than just using HTTPS anyway seems to make sense.

                            I don't see the issue. I'm happy to continue to use Keepass.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Carnival Boy
                              last edited by

                              @Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:

                              How does the HTTP update check create ad revenue? I haven't seen that explained.

                              Lost on that one here, too. I've never seen any ads associated with Keepass.

                              1 Reply Last reply Reply Quote 2
                              • DustinB3403D
                                DustinB3403
                                last edited by

                                If anyone is worried the MD5 and SHA1 match.

                                0_1465212618302_chrome_2016-06-06_07-27-14.png

                                1 Reply Last reply Reply Quote 0
                                • dafyreD
                                  dafyre
                                  last edited by

                                  I find this quite sad, actually. I've been a happy Keepass user for a while now... Guess I'll check out some of the others now. KeePassX looks pretty good.

                                  A 1 Reply Last reply Reply Quote 0
                                  • A
                                    Alex Sage @dafyre
                                    last edited by

                                    @dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

                                    scottalanmillerS dafyreD 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Alex Sage
                                      last edited by

                                      @aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

                                      @dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

                                      Or forked.

                                      1 Reply Last reply Reply Quote 0
                                      • dafyreD
                                        dafyre @Alex Sage
                                        last edited by

                                        @aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

                                        @dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

                                        True. But for an application such as Keepass, why risk it? KeePassX works fine with my existing database, and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

                                        Note: I'm not terribly worried about it... but a little paranoia is safe when it comes to security.

                                        C 1 Reply Last reply Reply Quote 1
                                        • gjacobseG
                                          gjacobse @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in KeePass dev refuses to patch security hole in favor of ad revenue:

                                          I think KeePass with Chocolatey would bypass the insecure updater.

                                          There is also the option of just not installing it.

                                          For a number of years I have used the Portable App version.

                                          1 Reply Last reply Reply Quote 2
                                          • C
                                            Carnival Boy @dafyre
                                            last edited by

                                            @dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]

                                            and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

                                            There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.

                                            dafyreD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post