Results 1 to 6 of 6
  1. #1
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    2,223
    Thanks
    322
    Thanked 241 Times in 196 Posts

    KeePass wants to improve security, but money wins in the short term

    This doesn't sound good, at least in the short term.
    http://www.engadget.com/2016/06/04/k...le-due-to-ads/

    Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.

    The impact is potentially quite severe, too. An attacker could hijack the update process and deliver malware that would compromise your PC.

  2. The Following 2 Users Say Thank You to lumpy95 For This Useful Post:

    Rick Corbett (2016-06-05),Trev (2016-06-07)

  3. #2
    Administrator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    3,043
    Thanks
    137
    Thanked 807 Times in 646 Posts
    I still use KeePass so many thanks for the 'heads up'.

    As a quick mitigation I've removed the automatic 'check for updates' and will check manually in future.

    keepass.png
    Click to enlarge

  4. #3
    Bronze Lounger
    Join Date
    Dec 2009
    Location
    Delaware, US
    Posts
    1,225
    Thanks
    21
    Thanked 101 Times in 90 Posts
    This article is referring to KeePass 2 but doesn't say if the same issue exists with 1.x. I mention this because I've never seen any advertising in the 1.x version.
    Graham Smith
    DataSmith, Delaware
    "For every expert there is an equal and opposite expert.", Arthur C. Clarke (1917 - 2008)

  5. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,950
    Thanks
    61
    Thanked 1,104 Times in 1,027 Posts
    There is virtually no chance of being compromised as it requires a MiTM attack that targets the KeePass update process - which is manual anyway.
    Dominik (KeePass author) has fixed the issue in the latest version (2.34, 11/6/2016). Pretty good for a free program.

    cheers, Paul

  6. The Following User Says Thank You to Paul T For This Useful Post:

    Trev (2016-06-11)

  7. #5
    4 Star Lounger
    Join Date
    Jul 2011
    Location
    Florida
    Posts
    482
    Thanks
    227
    Thanked 40 Times in 38 Posts
    It's quite incredible what one gets for this FREE and open source program...there is a donate button on the left of the home page

  8. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,950
    Thanks
    61
    Thanked 1,104 Times in 1,027 Posts
    Quote Originally Posted by gsmith-plm View Post
    I mention this because I've never seen any advertising in the 1.x version.
    There is no advertising in or around KeePass, either V1 or V2. There is advertising on the KeePass web site - unsurprisingly.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •