KeePass dev refuses to patch security hole in favor of ad revenue

Jason

I was too, mostly because if last pass is hack. Kee pass you have the file. I use keepass at work, but it has no ads in it..

Dashrender

@Jason said in KeePass dev refuses to patch security hole in favor of ad revenue:

I was too, mostly because if last pass is hack. Kee pass you have the file. I use keepass at work, but it has no ads in it..

You can backup your Lastpass file too.

Jason

1Password is something I've been considering too. The $70 one time version not the subscription

thwr

Seriously, are we talking about the same KeePass2? Never saw an advertisement in the application. Or is it something in the background, like usage tracking?

thwr

Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

JaredBusch

@thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

As someone contemplating switching to it though, I no longer wish to.

thwr

@JaredBusch said in KeePass dev refuses to patch security hole in favor of ad revenue:

@thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

Ok, checked the article, it's about the updater... Still a problem, but no need for an immediate switch IMHO.

As someone contemplating switching to it though, I no longer wish to.

Wouldn't do it either in this case, but there should be no real risk for existing users as long as you don't use the auto updater.

Anyway, please report back when you found something, FOSS preferred.

thwr

Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

Dashrender

@thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

Jason

@Dashrender said in KeePass dev refuses to patch security hole in favor of ad revenue:

@thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

Less of an issue on mobile devices the respective app stores handle it and it's much more secure

Dashrender

@Jason said in KeePass dev refuses to patch security hole in favor of ad revenue:

@Dashrender said in KeePass dev refuses to patch security hole in favor of ad revenue:

@thwr said in KeePass dev refuses to patch security hole in favor of ad revenue:

Security issues in auto updaters are a big problem. Most of them are prone to man in the middle attacks because they just don't use encryption and / or checksums.

This is especially troubling on mobile devices, something I would expect you to want this type of software the most. yeah this is a pretty big problem - sadly, one I'm guessing it's had since day one. or when they decided to do whatever they do with advertising.

Less of an issue on mobile devices the respective app stores handle it and it's much more secure

Good point.

aaron-closed account

This post is deleted!

scottalanmiller

I think KeePass with Chocolatey would bypass the insecure updater.

scottalanmiller

What about this one...

https://www.keepassx.org/

Carnival Boy

How does the HTTP update check create ad revenue? I haven't seen that explained.

The program won't update itself, you have to manually go to sourceforge.net and the developer's point that digital signatures are more secure than just using HTTPS anyway seems to make sense.

I don't see the issue. I'm happy to continue to use Keepass.

scottalanmiller

@Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:

How does the HTTP update check create ad revenue? I haven't seen that explained.

Lost on that one here, too. I've never seen any ads associated with Keepass.

DustinB3403

If anyone is worried the MD5 and SHA1 match.

dafyre

I find this quite sad, actually. I've been a happy Keepass user for a while now... Guess I'll check out some of the others now. KeePassX looks pretty good.

Alex Sage

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

scottalanmiller

@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

Or forked.