An engadget story has the following to say about KeePass2 and developer Dominik Reichl:
Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.
This discussion has been archived.
No new comments can be posted.
Password App Developer Overlooks Security Hole to Preserve Ads
|
Log In/Create an Account
| Top
| 47 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2) by GungnirSniper on Monday June 06 2016, @02:26PM
Did some benevolent hacker replace my version with an ad-free one?
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 3, Informative) by zocalo on Monday June 06 2016, @03:36PM
Anyway, the developer has already responded [sourceforge.net] to this and implemented a workaround, so it's now largely moot. Not that it wasn't moot anyway; if you are downloading something a security critical as a password manager, regardless of whether it's via HTTP or HTTPS, and *not* doing all you can to verify that you have a legit download via checksums, etc., then you probably deserve all you get if it turns out to be a trojan. And no, just because you got it from the official site instead of some random file repository doesn't give you that automatically - binaries on official sites can be (and have been) compromised on numerous occassions.
UNIX? They're not even circumcised! Savages!
(Score: 4, Insightful) by TrumpetPower! on Monday June 06 2016, @05:53PM
What makes you think that attackers with the ability to replace binaries are clueless enough to forget to update the checksums?
If you can't trust the server to serve up what you expect it to serve, all bets are off -- especially including your rather naïve bet that you can trust the server to pass you subtle hints that only initiates such as you are able to interpret.
Or, as has been said for ages: in for a penny, in for a pound.
There's no good solution. The PGP "Web of Trust" model was a good one, such that it wasn't all that difficult to attain overwhelming (though still imperfect) confidence.
In practice, today...well, you pretty much have no choice but to trust your OS provider on these sorts of things. OS X comes with a darned good password manager, Keychain, that you can trust as much as the OS itself -- however much that might be. If your OS (such as Windows) doesn't come with one, then you've got to decide which third party (including yourself) you might trust. That sort of decision comes with an analysis of what's at stake and what the risks are...and that's something that you can only ultimately decide for yourself.
Cheers,
b&
All but God can prove this sentence true.
(Score: 2) by zocalo on Monday June 06 2016, @06:52PM
In the specific case of checksumming? Maths. An attacker might (just) be able to generate an identical checksum on a malicious version of a file using a single checksum algorithm, especially for something known to be flawed like MD5, but if the original file is checksummed using two different methods - even if it's just MD5 & SHA1 - then creating that dual collision *on the same file* is almost certainly going to be mathematically impossible. There's no subtle hints about it; the whole point of publishing and advertising the checksums in multiple locations (the original site, Facebook page, SourceForge, etc.) is to provide that assurance through the knowledge that a would be attacker would have needed to compromise multiple sites at the same time; again, not impossible, but exceedingly unlikely.
As you said, the decision on trust comes with an analysis of what's at stake and what the risks are. My point was that when you are putting a lot of eggs into a single basket, which is certainly the case with a password manager, then you probably want to raise the bar a bit on what the stakes are and act accordingly.
UNIX? They're not even circumcised! Savages!
(Score: 2) by jimshatt on Monday June 06 2016, @07:43PM
(Score: 2) by zocalo on Monday June 06 2016, @08:33PM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Monday June 06 2016, @09:59PM
Then an attacker would only have to fake authorization to the white pages, just like vuze. Your idea is impractical.
(Score: 2) by zocalo on Tuesday June 07 2016, @08:07AM
UNIX? They're not even circumcised! Savages!
(Score: 1) by jurov on Monday June 06 2016, @04:45PM
Yes, see https://www.keepassx.org/ [keepassx.org]
(Score: 0, Disagree) by Anonymous Coward on Monday June 06 2016, @02:44PM
Do you pay for it, or is it free? If it is free, you get what you pay for.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @03:02PM
KeePass [keepass.info] is a free (GPL2) and open-source password manager for Microsoft Windows.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @03:08PM
So it's basically like lunix.
(Score: 2) by Nerdfest on Monday June 06 2016, @03:47PM
I've found that in the software world lately it actually works very much the opposite.
(Score: 3, Touché) by DannyB on Monday June 06 2016, @04:15PM
> If it is free, you get what you pay for.
But do I get what I expect based on the reputation of the software?
If people have a certain expectation of a free security related program, and something compromises what you expect, then there is nothing wrong with spreading the word far and wide. And also nothing wrong with complaining about it.
Can something not be complained about just because it is free? The complaints can be useful guidance and feedback. But the producer of the software has no obligation to do anything for a free software product, or its reputation. (See: SourceForge, previous owners. Also see an earlier fiasco about NoScript extension for Mozilla regarding ads: the author was willing to destroy his credibility and trust over advertising.)
And, if the free product does not do what one wants, and won't be fixed, one is free to look elsewhere, or develop their own. I suspect that the author of KeePass genuinely intends and intended to build something that solves a widespread need.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by Wootery on Wednesday June 08 2016, @10:47AM
Can something not be complained about just because it is free?
Yes. Obviously. To 'complain' is simply to assert that something isn't fit for purpose. Revenue is irrelevant.
the producer of the software has no obligation to do anything for a free software product, or its reputation
Sure. No different from closed-source payware. It's not about 'obligation' (whatever that means), it's about good software.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @05:43PM
Windows 10 invalidates your claim.
(Score: 3, Insightful) by Runaway1956 on Monday June 06 2016, @02:44PM
I suppose the article is concerned with Windows users. Keepass is available from a trusted source, with secure communication protocols, if you happen to run a secure operating system.*
# equo search keepass
╠ @@ Searching...
╠ @@ Package: app-admin/keepass-2.32 branch: 5, [sabayon-weekly]
╠ Available: version: 2.32 ~ tag: NoTag ~ revision: 0
╠ Installed: version: Not installed ~ tag: n/a ~ revision: n/a
╠ Slot: 0
╠ Homepage: http://keepass.info/ [keepass.info]
╠ Description: A free, open source, light-weight
╠ and easy-to-use password manager
╠ License: GPL-2
╠ @@ Package: app-admin/keepassx-2.0.2 branch: 5, [sabayon-weekly]
╠ Available: version: 2.0.2 ~ tag: NoTag ~ revision: 0
╠ Installed: version: Not installed ~ tag: n/a ~ revision: n/a
╠ Slot: 0
╠ Homepage: http://www.keepassx.org/ [keepassx.org]
╠ Description: Qt password manager compatible
╠ with its Win32 and Pocket PC versions
╠ License: BSD CC0-1.0 GPL-2 GPL-3 LGPL-2.1 LGPL-3+ public-domain
╠ @@ Package: dev-perl/File-KeePass-2.30.0 branch: 5, [sabayon-weekly]
╠ Available: version: 2.30.0 ~ tag: NoTag ~ revision: 2
╠ Installed: version: Not installed ~ tag: n/a ~ revision: n/a
╠ Slot: 0
╠ Homepage: http://search.cpan.org/dist/File-KeePass/ [cpan.org]
╠ Description: Interface to KeePass V1 and V2 database
╠ files
╠ License: Artistic GPL-1+
╠ Keywords: keepass
╠ Found: 3 entries
*Security is, of course, a relative thing. Relatively speaking, some *nixes are more secure than others, but basically, all of them are more secure than Windows.
(Score: 2) by Pino P on Monday June 06 2016, @03:55PM
Keepass is available from a trusted source, with secure communication protocols, if you happen to run a secure operating system.*
However, I imagine that most people who try a secure operating system and discover some critical incompatibility with their hardware or applications are unwilling to buy new hardware or applications just to be able to run a secure operating system.
(Score: 3, Interesting) by Runaway1956 on Monday June 06 2016, @04:36PM
That is why we have virtual machines. Do your important stuff on hardware, and only use the less secure OS inside of a secure VM. And, thus, keypass need not be installed inside the VM, just install it in the real OS. Amazingly (or not) someone has already thought of this - https://sourceforge.net/p/keepass/discussion/329220/thread/1fd4af5c/ [sourceforge.net]
As for hardware - isn't this 2016?
(Score: 2) by Pino P on Monday June 06 2016, @05:34PM
Running the insecure OS inside a VM on a secure OS solves incompatibility with applications but not incompatibility with hardware. Good luck getting Bluetooth, Wi-Fi, camera, audio, and suspend working on an ASUS T100TA [debian.org] or X205TA [debian.org] using only free software.
(Score: 2) by NotSanguine on Monday June 06 2016, @07:18PM
Running the insecure OS inside a VM on a secure OS solves incompatibility with applications but not incompatibility with hardware. Good luck getting Bluetooth, Wi-Fi, camera, audio, and suspend working on an ASUS T100TA or X205TA using only free software.
There is such a thing as perfect security. It involves powering off your hardware, unplugging everything and then storing said hardware in a locked vault buried in steel reinforced concrete in your back yard. And then never leave your home long enough to allow someone to breach the concrete and break into the vault. Booby traps would be useful too, I imagine. I'd also recommend lots of lethal weapons and trustworthy mercenaries (so you can sleep once in a while).
Unfortunately, this causes some minor usability issues.
As such the issue isn't making things perfectly secure, rather it's securing your data within budgetary and usability constraints.
If your data is valuable enough, purchasing new hardware that works with the software you build from audited sources yourself (don't forget to audit and build the compiler(s) from source too!) is a small price to pay.
Can you say "cost/benefit analysis"? Sure you can. I knew you could!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Runaway1956 on Monday June 06 2016, @07:28PM
If you purchased hardware that is incompatible with a more secure operating system, then you have done things so very wrong already, that there is little hope for you.
Seriously, before I purchase any components to go into a machine, I check out the support for my preferred operating systems.
Need a car analogy? I'm driving a Ford. I need/want some gadget or another - let's say a James Bond machine gun that mounts in the left rear fender, and fires on pursuing enemies. Do you think I'm going to General Motors for my machine gun? Chrysler? Not only "NO", but "HELL NO!" Mercedes or Suzuki may offer that machine gun with better looking specs, but, dammit, I'm driving a Ford, and I need that damned machine gun to interface with my Ford's computer! I'm going to Ford for my murder and mayhem accessories, thank you very much. Fat lot of good it will do me to purchase Suzuki's superior-looking machine gun, only to find that it will never calibrate precisely with my Found-On-Road-Dead computer.
(Score: 2) by maxwell demon on Monday June 06 2016, @09:48PM
That assumes you've decided on that secure operating system before deciding on the hardware you bought. Which is hardly the case for someone just learning about that secure operating system. They will not buy a new computer just to try it out, they will try to run it on the computer they already have. And which they obviously didn't buy with that operating system in mind.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Runaway1956 on Tuesday June 07 2016, @02:03AM
Well - I'm "someone", and that is exactly what I did. I rapidly got fed up with Windows, so I began researching hardware that was compatible with Linux. I purchase hardware because it is compatible with Linux.
I have this mild contempt for people who don't understand diddly squat when it comes to the computers they buy. It's on par with my mild contempt for people who pay some grease monkey to check the air in the their tires. Some things are so damned simple, there has to be something wrong with you if you fail to grasp the concept. 1+1=2 Windows costs a fair chunk of change out of Joe Sixpack's paycheck, and it's always frustrating him. Linux is free, and it's not any more frustrating than Windows, even through the learning curve. Then it is far less frustrating. Simple, simple, simple.
Back to car analogies - most people want to purchase the vehicle that requires the most scheduled and unscheduled maintenance, right? I say that the most mechanically ignorant person in America who browses the internet, searching for the "most reliable car" or "low maintenance car" and other similar terms is more diligent than the average computer consumer.
(Score: 2) by Pino P on Tuesday June 07 2016, @03:22PM
Linux is free
Only if you already have compatible hardware.
and it's not any more frustrating than Windows
It shifts the frustration to the time of purchase. Someone considering buying a computer, for example, might find it frustrating that the local Best Buy doesn't display whether each particular computer or component that it sells is Linux-compatible, nor does it carry Linux-compatible laptops in some size classes at all. And even if you're willing to buy a laptop sight unseen, without trying its keyboard or screen before you buy, what method do you recommend to search across all manufacturers of laptops in a particular size class for those that happen to be Linux-compatible? I tried looking at individual manufacturers that specialize in Linux, but then I found that System76 doesn't have anything smaller than 14 inches.
(Score: 2) by Pino P on Tuesday June 07 2016, @03:13PM
before I purchase any components to go into a machine, I check out the support for my preferred operating systems.
So in other words, whenever you try a different operating system, you first have to make yourself willing to buy or build a brand new computer in which to run it. Here's a trick(y) question for you: Which warranted 10.1" laptop is fully compatible with a secure operating system?
I'm driving a Ford. I need/want some gadget or another
What do you do when the class of gadget you want is not available for your Ford? Buy a whole new car?
(Score: 2) by Runaway1956 on Tuesday June 07 2016, @08:49PM
Well - I don't do 10", so I've never even looked to see which of them might support Linux. I want a large laptop, the more screen space the better. But, without researching, I alrady know that Android is available on notebooks and tablets, as well as telephones - thus cyanogen mod, and I presume, it's possible to to install Linux on most of those. Android is, after all, based on Linux.
Some gadget is not available for my car? I may buy another car, or I may trade my car in, or I may do without the gadget. Or, I may create the gadget I need. But, chances are, whatever I need is available somewhere. The aftermarket has stuff that Ford never even though about putting on a car, after all.
(Score: 2) by Pino P on Tuesday June 07 2016, @09:31PM
I want a large laptop, the more screen space the better.
I guess our needs differ, as a bag that's more obviously a laptop bag is more likely to attract muggers. So I carry my current Linux netbook in a nondescript satchel. I just worry about what'll replace it once it finally dies.
I alrady know that Android is available on notebooks and tablets [...] Android is, after all, based on Linux.
I guess it depends on how hard it is to bring up X-based desktop applications in a GNURoot [google.com] inside Android. But then this reintroduces the application compatibility barrier, as ARM tablets probably don't run an x86 VM efficiently.
(Score: 2) by Runaway1956 on Tuesday June 07 2016, @10:01PM
Pino, I wasn't sure if you were trolling, or if you were serious. Sorry for being suspicious.
This guy went with an 11" and he seems to be doing well, initially at least - https://www.reddit.com/r/linux/comments/3j6hnb/linux_compatible_netbook/ [reddit.com]
Similar reddit discussion here - https://www.reddit.com/r/linux/comments/4397p8/linux_for_netbook/ [reddit.com]
This looks kind of promising, but I can't find a list of compatible hardware - http://simplicitylinux.org/ [simplicitylinux.org]
The search terms I used return a lot of Chromebooks - I'm not thrilled by the things I've heard about those, but that is a possibility.
I am encouraged that there are discussions on the net, regarding small devices such as you describe. Apparently, you're looking around, and giving some thought to your next laptop, netbook, or whatever now. That's the way to go. Waiting until the day after your device dies to start looking would guarantee a lot more frustration.
(Score: 3, Insightful) by Thexalon on Monday June 06 2016, @02:47PM
In the proprietary software world, security is something you swear up and down that you're doing properly, while ignoring it unless it's a legal liability or public relations problem.
In the custom corporate software world, security is something you're greatly concerned about if it's protecting your company's information. Otherwise, like proprietary software, it only matters if there's likely to be a legal liability or public relations problem.
Actually caring about security is nowhere near as profitable as pretending to do so. Sort of like how nearly all industrial operations treat the environmental damage they're doing.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2, Informative) by Anonymous Coward on Monday June 06 2016, @03:32PM
I'm raising my hand.
While I don't disagree with your points, I'm not sure what this has to do with the software in question. For a lone developer who has written a GPL program he's done a damn fine job in focusing on making sure the software program uses good security practices to keep your passwords safe.
Does it really matter if a text file with version information is served over HTTPS or not? Modifying the data in transit as shown in the video in the article will, at worst, cause a notification window to appear in KeePass saying that a new version is available. That doesn't seem worth granting a CVE in my opinion. The user still has to manually download and install any updates which are served from Sourceforge and are digitally signed.
Maybe if some of the companies that use his program would donate to him or sponsor him he could earn enough money to drop the ads, switch the site to HTTPS, and work on the software full time.
(Score: 2) by jmorris on Monday June 06 2016, @05:29PM
Just another example of the Post Snowden idiocy. Any http server is now considered insecure by definition. Because the enemy isn't sitting in the datacenters themselves feeding the NSA machine. Oh no, they still use guys in nondescript white panel vans sitting on the side of the street tapping people one at a time and launching complex man in the middle attacks. And no, the government/hackers/etc. won't just use this week's PHP exploit to just compromise the https server to send a bogus binary to take advantage of the fact Windows software distribution still, in 2016, doesn't have a reliable signed update system enabled by default for non-Microsoft software. (outside the useless Microsoft Store app environment of course)
Sure your ISP is or will be rewriting http traffic to insert more ads, but they probably won't be trying to inject trojan executables because there ain't no profit in that.
(Score: 2) by Dunbal on Monday June 06 2016, @07:59PM
while ignoring it until it becomes a legal liability or public relations problem.
Fixed that for you.
(Score: 5, Informative) by Anonymous Coward on Monday June 06 2016, @02:57PM
This is a tempest in a teapot and is being exaggerated by Engadget. Keepass does not have an auto-update feature. The Keepass program checks the web site to see if a new version is available. If there is a new version the program displays a notification to the end user. That's it. Full stop.
The author has fixed the problem by using a digital signature to sign the update text file on the web site that the Keepass program looks for.
There's a detailed response from the author here: http://keepass.info/help/kb/sec_issues.html#updsig [keepass.info]
As for ad revenue, many ad networks still do not support HTTPS. This creates a problem where there are more people willing to pay for ads that show up on HTTP ad networks than HTTPS. Because of fewer impressions on HTTPS the ads are worth less too. There's a post on Hacker News where one guy saw a 30% drop in ad revenue when he switched his site to HTTPS. https://news.ycombinator.com/item?id=11803716 [ycombinator.com]
(Score: 0) by Anonymous Coward on Monday June 06 2016, @03:27PM
However intercepting the unencrypted connection could result in users not being informed about a critical update. And the fact that they normally would be informed means they'd probably not check the web site by themselves. Admittedly that's a much lower security issue than an unprotected update mechanism, but it's a security issue nonetheless.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @03:49PM
I agree that there could still be a minor problem caused by it. Your example was great.
That's also why I said that this is a tempest in a teapot. Many of the articles that I've seen about this in the last 24 hours are misrepresenting the facts. Stories are being sensational and inventing facts, talking about keepass downloading and installing updates (which it can't do) via HTTP and saying that users could get infected with malware.
The problem and its severity and impact are being blown way out of proportion. As a keepass user it irritates me because I see a free software developer getting shit on by the tech media in order to manufacture outrage and get their articles more views (i.e., more ad revenue).
(Score: 2) by theluggage on Monday June 06 2016, @05:57PM
However intercepting the unencrypted connection could result in users not being informed about a critical update
Read the G.P post: the update.txt file is now digitally signed. Your method wouldn't work: even if the author's site has been pwn3d (which HTTPS is powerless to prevent) then the bad guys won't be able to sign the file. That solution is actually superior to using HTTPS.
Oh, and remember: installing that critical update will invalidate the 6-week source code audit you performed on the current version before entrusting the launch codes for your personal nuclear arsenal to it.
Seriously: even if your method worked it would be a minuscule risk: some weighing of risks in context is required. The biggest risk comes from pushing every update as critical and urgent and ignoring the real possibility of the update failing or introducing a regression.
(Score: 0) by Anonymous Coward on Tuesday June 07 2016, @12:28PM
That doesn't help against serving an outdated version of that file, complete with its valid signature.
(Score: 2) by theluggage on Tuesday June 07 2016, @01:54PM
That doesn't help against serving an outdated version of that file, complete with its valid signature.
So give the file an expiry date & renew it regularly. Oh, and if a security patch is so desperately critical that it is worth someone going to great effort to suppress it, don't rely on an optional automatic update notification as the sole means of publicising it.
There comes a point at which encryption becomes equivalent to putting a steel door on a tent. HTTPS is firmly in that category, because it is only as strong as the infrastructure for issuing certificates - and that is weak by design because it has to allow users to visit sites without manually installing/verifying certificates.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @04:52PM
HTTPS does defend against some attacks, but criminals who can compromise the Certificate Authority system have much of the same ability to conduct man-in-the-middle attacks and compromise data. Blindly pushing HTTPS while leaving unresolved flaws in place such as major browser vendors crapping all over themselves when they see a self-signed (and thus invulnerable to upstream CA issues) certificate promotes a false sense of security.
The cryptographic signatures for the downloads are provided by the author, and those are mathematically impervious to manipulation via weaknesses in HTTP or HTTPS. The lesson here is not to bash the software's author or website maintainer, but to cryptographically verify the integrity of the software you use so that the NSA can't send a National Security Letter to Verisign and get their own special NSAkey which will be used to show you a happy little lock icon while the data stream's integrity has been totally destroyed.
(Score: 2) by DannyB on Monday June 06 2016, @04:19PM
Isn't it the advertising networks who are the real culprit here? Not KeePass nor its author.
Advertising networks: willing to compromise everyone's security by making it preferable to use HTTP instead of HTTPS. (Not to mention being spreaders of malware through their ad networks.)
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @04:26PM
Since ad networks are often willing to distribute malware through their network the HTTPS thing is the least concern with them really.
(Score: 0) by Anonymous Coward on Monday June 06 2016, @07:31PM
"Isn't it the advertising networks who are the real culprit here? Not KeePass nor its author."
If KeePass is willing to open their users to vulnerabilities just to get a bit of money, then no. Just because the advertisers are wrong, it doesn't mean everyone associated with them are innocent.
(Score: 1) by I Like Perl on Monday June 06 2016, @09:52PM
The KeePass users were never vulnerable to begin with.
(Score: -1, Offtopic) by Anonymous Coward on Monday June 06 2016, @04:54PM
KeepAss
(Score: 2) by Techwolf on Tuesday June 07 2016, @02:11AM
There are several different flavors of keepass. For desktop, there is keepass (mono code), keepassX (Linux code), and for what I use for Android, keepass2android. https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en [google.com] is open source , ad free, is more secure and has no commercial interests. http://keepass2android.codeplex.com/ [codeplex.com]
(Score: 0) by Anonymous Coward on Wednesday June 08 2016, @06:24PM
the engadget author is an idiot. the commenters on engadget are idiots. this story also woke all the idiots who visit this site. The keepass2 site should use tls but that's hardly a "vuln" (as typically used) in the app itself. you use a phischer-price operating system, with plenty of other apps with insecure code and update mechanisms then you whine about keepass2? Downloading all your slaveware from all over the place. Most these same appalled whiners don't check the sig either i bet. even the moron at engadget has screenshots using a windows computer. I'm supposed to take that idiot seriously? lmao....