Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password App Developer Overlooks Security Hole to Preserve Ads (engadget.com)

Posted by EditorDavid on from the apps-vs-ads dept.

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

14 of 96 comments (clear)

  1. Re:Ads? by NotInHere · · Score: 5, Informative

    Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable over https as well, and if https was used on the website, the ads wouldn't be displayed. Or something like that:

    https://sourceforge.net/p/keep...

  2. Developer is engaged now. Time Sensitive by bobbutts · · Score: 4, Informative

    The developer made a post 8 mins ago in this thread about the vulnerability.
    https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398

  3. This seems to explain what's going on by dfm3 · · Score: 5, Interesting
    Yes, I RTFA. And the discussion thread. And the other linked discussion thread on Sourceforge. And it still took me a while to figure out what this was all about... though I finally found an explanation on this thread which was linked to from a thread that was linked to from the thread in the third link:

    Guest98123 5 days ago

    I saw an instant 30% drop in revenue when switching my site to HTTPS in April. The implementation was done right, A+ rating from ssllabs, Google reindexed my main pages as HTTPS within a matter of hours, search traffic and overall traffic remained unchanged.

    I poked around on my AdSense account to see where I was losing the revenue, since AdSense was still displaying the same number of impressions. It turned out I was seeing a 75% drop in CPC impressions, and AdSense was running low paying CPM impressions instead.

    http://i.imgur.com/acy2k0u.png

    That's a graph of daily CPC impressions on my account. It's obvious when I switched to HTTPS. That was over a month and a half ago. It hasn't bounced back.

    I'm faced with a difficult decision now; whether to go back to HTTP and inform the community we're going to a less secure system for increased ad revenues, or I need to accept a 30% drop in my yearly income, and hope the situation improves as more networks switch to HTTPS.

    So it seems that, when using HTTPS, different ads are served. But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.

    1. Re:This seems to explain what's going on by Richard_at_work · · Score: 4, Interesting

      The problem is, Google wont talk to you about it - their decision is invariably final, so you are stuck with whatever their algorithm has decided. In his case, by making the site more secure Google have decided to put him on a lower revenue ad stream - there aint nothing he is going to be able to do to change that.

    2. Re:This seems to explain what's going on by KozmoStevnNaut · · Score: 2

      That seems really strange, considering the massive boner Google has for HTTPS.

      --
      Eat the rich.
  4. Re:Ads? by Anonymous Coward · · Score: 5, Informative

    Yeah, browsers are now by default blocking all http connection requests when browsing on https.

    For example. If you had 20 images embedded on a page, and only 1 of those was being served via http, it would simply not show up. Browser usually changes an icon somewhere to let a poweruser know, and I believe you can see the block happen in the dev tool console of firefox/chrome.

    The keepass one is more related to SEO rank dropping like a rock after switching to HTTPS and having to bid on https ads only.

  5. Re:Ads? by EvilSS · · Score: 5, Insightful

    Then why not put the updates on updates.keepass2.whatever, and enable HTTPS on that but not the root? Every major web server I know of would allow for that type of configuration. I mean, if he can't figure that out, what else has slipped through the cracks?

    --
    I browse on +1 so AC's need not respond, I won't see it.
  6. Fixed, and apparently not a HTTPS issue by rxmd · · Score: 5, Informative
    The security issue seems to be fixed as of KeePass 2.3.4 and it looks like the discussion about HTTPS and ads is missing the point. From the website (http://keepass.info/help/kb/sec_issues.html#updsig):

    "There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.

    First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.

    KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.

    The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.

    The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.

    Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."

    --
    As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
  7. Bunch of FUD by shellster_dude · · Score: 5, Informative

    This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.

  8. Advertising ethics by Livius · · Score: 4, Interesting

    I understand that advertising has its place in a market economy, but I can't help but think that advertisers have gone completely insane. They've become stalkers and harassers, if not outright sociopaths, who only become more persistent, aggressive, and disconnected from reality each time they are rejected by the object of their obsession, and I truly think they must have many of the same mental health issues. There are a few rare adverts that make an effort to offer a minimum of entertainment value in exchange for your time and attention, but most display an astonishing sense of entitlement with the way they freely impose nuisance and other costs on their victims. And when the tactics turn out to be dysfunctional and counter-productive, they escalate the aggression rather than reconsidering their world view. They've become addicts who have long since stopped caring about the actual business reasons they are advertising in the first place.

    Now they have reached a new level of anti-social behaviour with a new way of endangering their victims.

    Just today I went to an office supply website and searched for a chair. In their enthusiasm for trying to blindly guess what else I might want to buy, they showed me dozens of items that were vaguely related to office furniture. They did not, however, show me a single item that was actually a chair.

    And before anyone asks, no, I'm not suggesting that this is really comparable to the physical danger that a woman (or man) is in from a mentally deranged ex-boyfriend (or ex-girlfriend) who is stalking them in the criminal law sense. But advertisers are catching up.

  9. Re: Network Access?? by Anonymous Coward · · Score: 4, Informative

    Keepass doesn't download a signed or any other binary from any website.

    It uses http to get a version.txt and if the number in that file differs from its version, it pops up a notice telling you an update is available on the website.

    You need to manually do all the rest.

  10. Re: Ads? by EvilSS · · Score: 2

    and skip fake webviews for crappy ad networks? no way

    He can have it both ways though, that's my point. Make just the download page https, but put a page in front of it so he can keep serving his ads. I get the ads, it's not like the people who are using the software are paying for it and god forbid they donate to help the continued development. But there are technical solutions to this and the fact that he hasn't figured that out concerns me, especially since this is a security product he's making.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  11. Re:Ads? by Anonymous Coward · · Score: 4, Informative

    Because the keepass website doesn't host the updates. The software is hosted on sourceforge and that's where you're taken when you click the link to download the update. Keepass doesn't self-update. It will let you know if a new version is available, but that's all it does. It's then up to the user to go to the keepass website and download and install the new version if they decide to upgrade. And as stated before, those downloads are hosted by sourceforge and its mirrors which appear to serve the installation files via HTTPS already.

  12. Re:HTTPS is that hard to do? by AmiMoJo · · Score: 3, Informative

    They pay more for HTTP because browsers don't let them track users in as much detail with HTTPS.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC