An engadget story has the following to say about KeePass2 and developer Dominik Reichl:
Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.
(Score: 2) by jmorris on Monday June 06 2016, @05:29PM
Just another example of the Post Snowden idiocy. Any http server is now considered insecure by definition. Because the enemy isn't sitting in the datacenters themselves feeding the NSA machine. Oh no, they still use guys in nondescript white panel vans sitting on the side of the street tapping people one at a time and launching complex man in the middle attacks. And no, the government/hackers/etc. won't just use this week's PHP exploit to just compromise the https server to send a bogus binary to take advantage of the fact Windows software distribution still, in 2016, doesn't have a reliable signed update system enabled by default for non-Microsoft software. (outside the useless Microsoft Store app environment of course)
Sure your ISP is or will be rewriting http traffic to insert more ads, but they probably won't be trying to inject trojan executables because there ain't no profit in that.