Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password App Developer Overlooks Security Hole to Preserve Ads (engadget.com)

Posted by EditorDavid on from the apps-vs-ads dept.

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

8 of 96 comments (clear)

  1. Re:Ads? by NotInHere · · Score: 5, Informative

    Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable over https as well, and if https was used on the website, the ads wouldn't be displayed. Or something like that:

    https://sourceforge.net/p/keep...

  2. Developer is engaged now. Time Sensitive by bobbutts · · Score: 4, Informative

    The developer made a post 8 mins ago in this thread about the vulnerability.
    https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398

  3. Re:Ads? by Anonymous Coward · · Score: 5, Informative

    Yeah, browsers are now by default blocking all http connection requests when browsing on https.

    For example. If you had 20 images embedded on a page, and only 1 of those was being served via http, it would simply not show up. Browser usually changes an icon somewhere to let a poweruser know, and I believe you can see the block happen in the dev tool console of firefox/chrome.

    The keepass one is more related to SEO rank dropping like a rock after switching to HTTPS and having to bid on https ads only.

  4. Fixed, and apparently not a HTTPS issue by rxmd · · Score: 5, Informative
    The security issue seems to be fixed as of KeePass 2.3.4 and it looks like the discussion about HTTPS and ads is missing the point. From the website (http://keepass.info/help/kb/sec_issues.html#updsig):

    "There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.

    First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.

    KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.

    The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.

    The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.

    Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."

    --
    As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
  5. Bunch of FUD by shellster_dude · · Score: 5, Informative

    This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.

  6. Re: Network Access?? by Anonymous Coward · · Score: 4, Informative

    Keepass doesn't download a signed or any other binary from any website.

    It uses http to get a version.txt and if the number in that file differs from its version, it pops up a notice telling you an update is available on the website.

    You need to manually do all the rest.

  7. Re:Ads? by Anonymous Coward · · Score: 4, Informative

    Because the keepass website doesn't host the updates. The software is hosted on sourceforge and that's where you're taken when you click the link to download the update. Keepass doesn't self-update. It will let you know if a new version is available, but that's all it does. It's then up to the user to go to the keepass website and download and install the new version if they decide to upgrade. And as stated before, those downloads are hosted by sourceforge and its mirrors which appear to serve the installation files via HTTPS already.

  8. Re:HTTPS is that hard to do? by AmiMoJo · · Score: 3, Informative

    They pay more for HTTP because browsers don't let them track users in as much detail with HTTPS.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC