SoylentNews is people
SoylentNews
An engadget story has the following to say about KeePass2 and developer Dominik Reichl:
Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.
This discussion has been archived.
No new comments can be posted.
Password App Developer Overlooks Security Hole to Preserve Ads
|
Log In/Create an Account
| Top
| 47 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Prof: So the American government went to IBM to come up with a data
encryption standard and they came up with ...
Student: EBCDIC!"
(Score: 2) by theluggage on Tuesday June 07 2016, @01:54PM
That doesn't help against serving an outdated version of that file, complete with its valid signature.
So give the file an expiry date & renew it regularly. Oh, and if a security patch is so desperately critical that it is worth someone going to great effort to suppress it, don't rely on an optional automatic update notification as the sole means of publicising it.
There comes a point at which encryption becomes equivalent to putting a steel door on a tent. HTTPS is firmly in that category, because it is only as strong as the infrastructure for issuing certificates - and that is weak by design because it has to allow users to visit sites without manually installing/verifying certificates.