Password App Developer Overlooks Security Hole to Preserve Ads

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

HTTPS is that hard to do?

[Todd+Knarr]

I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

This seems to explain what's going on

[dfm3]

Yes, I RTFA. And the discussion thread. And the other linked discussion thread on Sourceforge. And it still took me a while to figure out what this was all about... though I finally found an explanation on this thread which was linked to from a thread that was linked to from the thread in the third link:

Guest98123 5 days ago

I saw an instant 30% drop in revenue when switching my site to HTTPS in April. The implementation was done right, A+ rating from ssllabs, Google reindexed my main pages as HTTPS within a matter of hours, search traffic and overall traffic remained unchanged.

I poked around on my AdSense account to see where I was losing the revenue, since AdSense was still displaying the same number of impressions. It turned out I was seeing a 75% drop in CPC impressions, and AdSense was running low paying CPM impressions instead.

http://i.imgur.com/acy2k0u.png

That's a graph of daily CPC impressions on my account. It's obvious when I switched to HTTPS. That was over a month and a half ago. It hasn't bounced back.

I'm faced with a difficult decision now; whether to go back to HTTP and inform the community we're going to a less secure system for increased ad revenues, or I need to accept a 30% drop in my yearly income, and hope the situation improves as more networks switch to HTTPS.

So it seems that, when using HTTPS, different ads are served. But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.

Re:This seems to explain what's going on

[Richard_at_work]

The problem is, Google wont talk to you about it - their decision is invariably final, so you are stuck with whatever their algorithm has decided. In his case, by making the site more secure Google have decided to put him on a lower revenue ad stream - there aint nothing he is going to be able to do to change that.

Advertising ethics

[Livius]

I understand that advertising has its place in a market economy, but I can't help but think that advertisers have gone completely insane. They've become stalkers and harassers, if not outright sociopaths, who only become more persistent, aggressive, and disconnected from reality each time they are rejected by the object of their obsession, and I truly think they must have many of the same mental health issues. There are a few rare adverts that make an effort to offer a minimum of entertainment value in exchange for your time and attention, but most display an astonishing sense of entitlement with the way they freely impose nuisance and other costs on their victims. And when the tactics turn out to be dysfunctional and counter-productive, they escalate the aggression rather than reconsidering their world view. They've become addicts who have long since stopped caring about the actual business reasons they are advertising in the first place.

Now they have reached a new level of anti-social behaviour with a new way of endangering their victims.

Just today I went to an office supply website and searched for a chair. In their enthusiasm for trying to blindly guess what else I might want to buy, they showed me dozens of items that were vaguely related to office furniture. They did not, however, show me a single item that was actually a chair.

And before anyone asks, no, I'm not suggesting that this is really comparable to the physical danger that a woman (or man) is in from a mentally deranged ex-boyfriend (or ex-girlfriend) who is stalking them in the criminal law sense. But advertisers are catching up.