Slashdot Mirror
Password App Developer Overlooks Security Hole to Preserve Ads (engadget.com)
An anonymous reader quotes this report from Engadget:
Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...
To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."
To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."
Kraut/no kraut. Homo/no homo. What does this have to do with the motivation to choose a buck over a fix?
I use KeePass2 on my iPhone. It doesn't push ads. So why is this a problem?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
If your password manager ever attempts binding a port or connecting to one then you have picked the wrong password manager.
Listen, kid. Encryption is not a silver bullet. A bulk software download can be served just fine by verifying that the bits haven't been diddled with, without encrypting them. Do that properly and encryption is basically just a waste of cycles and in fact best avoided. As a supposedly smart guy, you ought to understand that.
This app is proving what you get is what you pay. Pay zero and get zero security. Got it?
I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.
To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible.
It already is possible NOW, it's just that he decided he likes the ad bucks more than keeping his users secure by using the patch.
Glad I don't use any of his products, his attitude to his users sucks and he deserves to lose the lot of them.
He's an 80 year old WWII vet or a twelve year old who watches too much Hogans Heros reruns on METV.
As for me, I'm an ad hominem using gay Mexcan Jew.
The developer made a post 8 mins ago in this thread about the vulnerability.
https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398
Use KeePassDroid, free and ad free, by Brian Pellin
Yes, I would like to keep my ass, but I don't see how an app could help with that.
Guest98123 5 days ago
I saw an instant 30% drop in revenue when switching my site to HTTPS in April. The implementation was done right, A+ rating from ssllabs, Google reindexed my main pages as HTTPS within a matter of hours, search traffic and overall traffic remained unchanged.
I poked around on my AdSense account to see where I was losing the revenue, since AdSense was still displaying the same number of impressions. It turned out I was seeing a 75% drop in CPC impressions, and AdSense was running low paying CPM impressions instead.
http://i.imgur.com/acy2k0u.png
That's a graph of daily CPC impressions on my account. It's obvious when I switched to HTTPS. That was over a month and a half ago. It hasn't bounced back.
I'm faced with a difficult decision now; whether to go back to HTTP and inform the community we're going to a less secure system for increased ad revenues, or I need to accept a 30% drop in my yearly income, and hope the situation improves as more networks switch to HTTPS.
So it seems that, when using HTTPS, different ads are served. But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.
You, dear Sir, are completely missing the point here. And also an idiot.
"There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.
First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.
KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.
The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.
The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.
Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.
Just fork it or use another build on Android.
It is open source, let him die in his own world of ad-revenue on the slide to zero users.
What a chump.
I understand that advertising has its place in a market economy, but I can't help but think that advertisers have gone completely insane. They've become stalkers and harassers, if not outright sociopaths, who only become more persistent, aggressive, and disconnected from reality each time they are rejected by the object of their obsession, and I truly think they must have many of the same mental health issues. There are a few rare adverts that make an effort to offer a minimum of entertainment value in exchange for your time and attention, but most display an astonishing sense of entitlement with the way they freely impose nuisance and other costs on their victims. And when the tactics turn out to be dysfunctional and counter-productive, they escalate the aggression rather than reconsidering their world view. They've become addicts who have long since stopped caring about the actual business reasons they are advertising in the first place.
Now they have reached a new level of anti-social behaviour with a new way of endangering their victims.
Just today I went to an office supply website and searched for a chair. In their enthusiasm for trying to blindly guess what else I might want to buy, they showed me dozens of items that were vaguely related to office furniture. They did not, however, show me a single item that was actually a chair.
And before anyone asks, no, I'm not suggesting that this is really comparable to the physical danger that a woman (or man) is in from a mentally deranged ex-boyfriend (or ex-girlfriend) who is stalking them in the criminal law sense. But advertisers are catching up.
...if an ASUS auto-update delivers a KeePass update do two negatives make a positive?
To be fair, the user is agreeing to use a security product that opens access to the internet. Worse, it's access where the user doesn't control the server end-point, bandwidth consumed, or protocol and security settings. Given all criminals online today, that's an obvious flaw. Google even did the right thing, they created an API for accessing cloud storage so applets could use networking services without being exposed. But many applets, like this one, access the internet to get advertising revenue. The developer gets perpetual income because of all the cheap bastards who won't pay $20 for a license with 'unlimited' upgrades.
I wonder what people trusting those password safe apps to store all their passwords, have in their minds. Peanuts, likely.
Use Bruce Schneier's Password Safe
In my fuzzy recollection of years gone by, I think slashdot comments were rather more insightful. Also funny, etc.
In the example of this article, the higher level topic that seems basically ignored is why the economic model of KeePass has failed so badly. Even if he wasn't sincere about maximizing security, he has to be aware of the sincerity of the potential users of his software. Can you imagine that a security program is going to attract many new users after a debacle like this?
Maybe the old slashdot would have even considered some constructive solutions? I think the best one would be a financial model tab on the App download page. In this case, it would reveal the developer was driven by ads and he could (if he was smart) have directly addressed the security ramifications of maximizing advertisement-based revenue. This is also a case where the hosting website (Apple's or Google's) would be able to add useful annotations about the standard business model. In general we should know where the money is coming from to assess the integrity of software, but most especially in the case of security-critical software.
Now we get to the question of whether or not any of the old slashdot trolls were thought provoking? The current crop are certainly a sack of Sad Sacks, but I can't really say I miss the old ones.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
That's one instance where you should never contract two words. How do you pronounce "it'd"? Would it have been so hard just to write "it would"? Yes, because the author is an AMERICAN...
When the website is compromised with a MITM attack, the attacker can provide a (fake) download link which downloads a compromised binary from the compromised website, instead of the original binary from Sourceforge. In such case, the user does not know that the file should be digitally signed by a certain author. Instead, the attacker can modify the site to provide (fake) MD5 and SHA-1 hashes which validate the (fake) binary, or provide a self-signed binary. In particular, the problem is that the URL to the download binary and the binary validation instructions also need to be validated, as well as the binary itself. This would be solved using HTTPS.
Note that this attack does not particularly target recurrent users (looking for updates; they probably know how the program security works and where it is hosted), but particularly first-time users who don't know how it works.
Chisel and stone tablets are the best password managers. For me to get in, just put paper over rock and scissors on paper. ugh ugh.... um... me need change password now.
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed, security (malvertising), privacy (tracking) + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively. Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2... & ads = 40% of the size.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... )
safe enough.
Besides one comment not from the developer that's purely conjecture, where is any confirmation that ads are the reason here?
I see the ad supported goons were out in force modding everyone down that dared to agree.
How do you verify the bits that are supposed to be sent, in a way that is not compromised easily? The general answer to that is a hash and/or serving information through an encrypted channel, where checksums *will* error out if they don't match, and tampering of packets is obvious.
That said, the central cert authority model is retarded, but there are other ways to verify the contents of something as well. A GPG-signed binary with keys uploaded to multiple servers, with some level of Web-of-Trust-following (i.e. signatures and other certifications that indicate the key is legit) is one such method.
All encryption has problems, especially between two remote locations and a lacking private channel of communication, but simply trusting what comes down the wire as legitimate is asking for trouble.