SoylentNews

Password App Developer Overlooks Security Hole to Preserve Ads

posted by cmn32480 on Monday June 06 2016, @02:22PM   
from the they-gotta-be-kidding dept.

Fnord666 writes:

An engadget story has the following to say about KeePass2 and developer Dominik Reichl:

Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.

---

Original Submission

• HTTPS not the magic bullet, either (Score: 0) by Anonymous Coward on Monday June 06 2016, @04:52PM

  by Anonymous Coward on Monday June 06 2016, @04:52PM (#355978)

  HTTPS does defend against some attacks, but criminals who can compromise the Certificate Authority system have much of the same ability to conduct man-in-the-middle attacks and compromise data. Blindly pushing HTTPS while leaving unresolved flaws in place such as major browser vendors crapping all over themselves when they see a self-signed (and thus invulnerable to upstream CA issues) certificate promotes a false sense of security.

  The cryptographic signatures for the downloads are provided by the author, and those are mathematically impervious to manipulation via weaknesses in HTTP or HTTPS. The lesson here is not to bash the software's author or website maintainer, but to cryptographically verify the integrity of the software you use so that the NSA can't send a National Security Letter to Verisign and get their own special NSAkey which will be used to show you a happy little lock icon while the data stream's integrity has been totally destroyed.

  Parent