KeePass dev refuses to patch security hole in favor of ad revenue

Carnival Boy

How does the HTTP update check create ad revenue? I haven't seen that explained.

The program won't update itself, you have to manually go to sourceforge.net and the developer's point that digital signatures are more secure than just using HTTPS anyway seems to make sense.

I don't see the issue. I'm happy to continue to use Keepass.

scottalanmiller

@Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:

How does the HTTP update check create ad revenue? I haven't seen that explained.

Lost on that one here, too. I've never seen any ads associated with Keepass.

DustinB3403

If anyone is worried the MD5 and SHA1 match.

dafyre

I find this quite sad, actually. I've been a happy Keepass user for a while now... Guess I'll check out some of the others now. KeePassX looks pretty good.

Alex Sage

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

scottalanmiller

@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

Or forked.

dafyre

@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

True. But for an application such as Keepass, why risk it? KeePassX works fine with my existing database, and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

Note: I'm not terribly worried about it... but a little paranoia is safe when it comes to security.

gjacobse

@scottalanmiller said in KeePass dev refuses to patch security hole in favor of ad revenue:

I think KeePass with Chocolatey would bypass the insecure updater.

There is also the option of just not installing it.

For a number of years I have used the Portable App version.

Carnival Boy

@dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]

and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.

dafyre

@Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]

and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.

But said "update now" popup can redirect you wherever it wants assuming a hacked update popup. I know I'm pushing it, but as I said... a little paranoia can go a long way.

Dashrender

How does the popup that there is an update happen? Assuming it's that the app checks a website, we're just in for another Firesheep adventure.

wrx7m

I use Keepass and update via Ninite Pro. And I have never seen anything to do with ads in the 10 years I have been using it.

stacksofplates

So I guess I should have specified in the other thread. I use KeePassx and it's updated through yum. And the Android version of Keepass2Android (the one I use) isn't maintained by the same people.