ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    KeePass dev refuses to patch security hole in favor of ad revenue

    News
    keepass security vulnerability password managers lastpass
    13
    29
    3830
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBusch
      JaredBusch last edited by JaredBusch

      http://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

      Password app developer overlooks security hole to preserve ads
      KeePass wants to improve security, but money wins in the short term.

      So my question is, what is a good open source solution? I have seriously been contemplating switching from LastPass to KeePass.

      Syncing to all devices is a pain but getting easier and I was about to take a new serious look at switching.

      Dashrender 1 Reply Last reply Reply Quote 2
      • Dashrender
        Dashrender @JaredBusch last edited by

        @JaredBusch said in KeePass dev refuses to patch security hole in favor of ad revenue:

        http://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

        Password app developer overlooks security hole to preserve ads
        KeePass wants to improve security, but money wins in the short term.

        So my question is, what is a good open source solution? I have seriously been contemplating switching from LastPass to KeePass.

        Syncing to all devices is a pain but getting easier and I was about to take a new serious look at switching.

        I was too, but for a different reason. lastpass is incompatible with our company's EHR - so I was going to look at KeePass, I guess not now.

        1 Reply Last reply Reply Quote 0
        • J
          Jason Banned last edited by

          I was too, mostly because if last pass is hack. Kee pass you have the file. I use keepass at work, but it has no ads in it..

          Dashrender 1 Reply Last reply Reply Quote 0
          • Dashrender
            Dashrender @Jason last edited by

            @Jason said in KeePass dev refuses to patch security hole in favor of ad revenue:

            I was too, mostly because if last pass is hack. Kee pass you have the file. I use keepass at work, but it has no ads in it..

            You can backup your Lastpass file too.

            1 Reply Last reply Reply Quote 0
            • J
              Jason Banned last edited by

              1Password is something I've been considering too. The $70 one time version not the subscription

              1 Reply Last reply Reply Quote 1
              • thwr
                thwr last edited by

                Seriously, are we talking about the same KeePass2? Never saw an advertisement in the application. Or is it something in the background, like usage tracking?

                1 Reply Last reply Reply Quote 1
                • thwr
                  thwr last edited by

                  Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

                  JaredBusch 1 Reply Last reply Reply Quote 0
                  • JaredBusch
                    JaredBusch @thwr last edited by

                    @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                    Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

                    As someone contemplating switching to it though, I no longer wish to.

                    thwr 1 Reply Last reply Reply Quote 1
                    • thwr
                      thwr @JaredBusch last edited by

                      @JaredBusch said in KeePass dev refuses to patch security hole in favor of ad revenue:

                      @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                      Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

                      As someone contemplating switching to it though, I no longer wish to.

                      Wouldn't do it either in this case, but there should be no real risk for existing users as long as you don't use the auto updater.

                      Anyway, please report back when you found something, FOSS preferred.

                      1 Reply Last reply Reply Quote 0
                      • thwr
                        thwr last edited by

                        Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                        Dashrender 1 Reply Last reply Reply Quote 0
                        • Dashrender
                          Dashrender @thwr last edited by

                          @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                          Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                          This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            Jason Banned @Dashrender last edited by

                            @Dashrender said in KeePass dev refuses to patch security hole in favor of ad revenue:

                            @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                            Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                            This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

                            Less of an issue on mobile devices the respective app stores handle it and it's much more secure

                            Dashrender 1 Reply Last reply Reply Quote 2
                            • Dashrender
                              Dashrender @Jason last edited by

                              @Jason said in KeePass dev refuses to patch security hole in favor of ad revenue:

                              @Dashrender said in KeePass dev refuses to patch security hole in favor of ad revenue:

                              @thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

                              Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

                              This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

                              Less of an issue on mobile devices the respective app stores handle it and it's much more secure

                              Good point.

                              1 Reply Last reply Reply Quote 0
                              • aaron-closed account
                                aaron-closed account Banned last edited by

                                This post is deleted!
                                1 Reply Last reply Reply Quote 0
                                • scottalanmiller
                                  scottalanmiller last edited by

                                  I think KeePass with Chocolatey would bypass the insecure updater.

                                  gjacobse 1 Reply Last reply Reply Quote 0
                                  • scottalanmiller
                                    scottalanmiller last edited by

                                    What about this one...

                                    https://www.keepassx.org/

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      Carnival Boy last edited by

                                      How does the HTTP update check create ad revenue? I haven't seen that explained.

                                      The program won't update itself, you have to manually go to sourceforge.net and the developer's point that digital signatures are more secure than just using HTTPS anyway seems to make sense.

                                      I don't see the issue. I'm happy to continue to use Keepass.

                                      scottalanmiller 1 Reply Last reply Reply Quote 0
                                      • scottalanmiller
                                        scottalanmiller @Carnival Boy last edited by

                                        @Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:

                                        How does the HTTP update check create ad revenue? I haven't seen that explained.

                                        Lost on that one here, too. I've never seen any ads associated with Keepass.

                                        1 Reply Last reply Reply Quote 2
                                        • DustinB3403
                                          DustinB3403 last edited by

                                          If anyone is worried the MD5 and SHA1 match.

                                          0_1465212618302_chrome_2016-06-06_07-27-14.png

                                          1 Reply Last reply Reply Quote 0
                                          • dafyre
                                            dafyre last edited by

                                            I find this quite sad, actually. I've been a happy Keepass user for a while now... Guess I'll check out some of the others now. KeePassX looks pretty good.

                                            A 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post