Stories
Slash Boxes
Comments

SoylentNews is people

Password App Developer Overlooks Security Hole to Preserve Ads

posted by cmn32480 on Monday June 06 2016, @02:22PM   Printer-friendly
from the they-gotta-be-kidding dept.

Fnord666 writes:

An engadget story has the following to say about KeePass2 and developer Dominik Reichl:

Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Password App Developer Overlooks Security Hole to Preserve Ads | Log In/Create an Account | Top | 47 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by Anonymous Coward on Monday June 06 2016, @03:32PM

    by Anonymous Coward on Monday June 06 2016, @03:32PM (#355935)

    I'm raising my hand.

    While I don't disagree with your points, I'm not sure what this has to do with the software in question. For a lone developer who has written a GPL program he's done a damn fine job in focusing on making sure the software program uses good security practices to keep your passwords safe.

    Does it really matter if a text file with version information is served over HTTPS or not? Modifying the data in transit as shown in the video in the article will, at worst, cause a notification window to appear in KeePass saying that a new version is available. That doesn't seem worth granting a CVE in my opinion. The user still has to manually download and install any updates which are served from Sourceforge and are digitally signed.

    Maybe if some of the companies that use his program would donate to him or sponsor him he could earn enough money to drop the ads, switch the site to HTTPS, and work on the software full time.

    Starting Score:    0  points
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 2) by jmorris on Monday June 06 2016, @05:29PM

    by jmorris (4844) on Monday June 06 2016, @05:29PM (#356000)

    Just another example of the Post Snowden idiocy. Any http server is now considered insecure by definition. Because the enemy isn't sitting in the datacenters themselves feeding the NSA machine. Oh no, they still use guys in nondescript white panel vans sitting on the side of the street tapping people one at a time and launching complex man in the middle attacks. And no, the government/hackers/etc. won't just use this week's PHP exploit to just compromise the https server to send a bogus binary to take advantage of the fact Windows software distribution still, in 2016, doesn't have a reliable signed update system enabled by default for non-Microsoft software. (outside the useless Microsoft Store app environment of course)

    Sure your ISP is or will be rewriting http traffic to insert more ads, but they probably won't be trying to inject trojan executables because there ain't no profit in that.