Results 1 to 6 of 6
  1. #1
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,842
    Thanks
    258
    Thanked 175 Times in 148 Posts

    KeePass wants to improve security, but money wins in the short term

    This doesn't sound good, at least in the short term.
    http://www.engadget.com/2016/06/04/k...le-due-to-ads/

    Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.

    The impact is potentially quite severe, too. An attacker could hijack the update process and deliver malware that would compromise your PC.

  2. The Following 2 Users Say Thank You to lumpy95 For This Useful Post:

    Rick Corbett (2016-06-05),Trev (2016-06-07)

  3. #2
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    I still use KeePass so many thanks for the 'heads up'.

    As a quick mitigation I've removed the automatic 'check for updates' and will check manually in future.

    keepass.png
    Click to enlarge

  4. #3
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Delaware, US
    Posts
    1,161
    Thanks
    19
    Thanked 99 Times in 88 Posts
    This article is referring to KeePass 2 but doesn't say if the same issue exists with 1.x. I mention this because I've never seen any advertising in the 1.x version.
    Graham Smith
    DataSmith, Delaware
    "For every expert there is an equal and opposite expert.", Arthur C. Clarke (1917 - 2008)

  5. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,180
    Thanks
    47
    Thanked 983 Times in 913 Posts
    There is virtually no chance of being compromised as it requires a MiTM attack that targets the KeePass update process - which is manual anyway.
    Dominik (KeePass author) has fixed the issue in the latest version (2.34, 11/6/2016). Pretty good for a free program.

    cheers, Paul

  6. The Following User Says Thank You to Paul T For This Useful Post:

    Trev (2016-06-11)

  7. #5
    4 Star Lounger
    Join Date
    Jul 2011
    Location
    Florida
    Posts
    401
    Thanks
    169
    Thanked 28 Times in 26 Posts
    It's quite incredible what one gets for this FREE and open source program...there is a donate button on the left of the home page

  8. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,180
    Thanks
    47
    Thanked 983 Times in 913 Posts
    Quote Originally Posted by gsmith-plm View Post
    I mention this because I've never seen any advertising in the 1.x version.
    There is no advertising in or around KeePass, either V1 or V2. There is advertising on the KeePass web site - unsurprisingly.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •