Stay away from KeePass

[Danielx64]

2 minutes ago, th3rEsa said:

Because I didn't think people would care so I didn't submit it as news.

While it may already be posted here, I would still send it in - Who knows could give developers a bit of a wakeup call on simple things like this.

[th3rEsa]

Feel free to.

[Danielx64]

7 minutes ago, th3rEsa said:

Feel free to.

Done

[Boo Berry]

Well, that's not good.

 

Glad I use LastPass and a YubiKey.

[Boo Berry]

1 hour ago, BudMan said:

Don't spread fud please... They grabbed hashed copy of your email, not the passwords..  Be clear in what you state..  The actual vault of passwords was not gotten.

Not only that, even if they got the vault they can't decrypt it without the master password. If you have a really strong master password, the less likely it'd be they'd be able to decrypt the database (in the very least in a timely manner). Besides, LastPass would likely quickly warn users about the hack and all passwords could be changed.

[coth]

14 hours ago, SuperKid said:

HTTPS, isn't KeePass all stored locally?

 

EDIT: Oh the update checker.. 

Update checker does not upload your passwords, so what's the deal?

[Danielx64]

Just now, coth said:

Update checker does not upload your passwords, so what's the deal?

The big deal that someone could hijack the update system. Plus considering that this is a security application you would expect that something simple as having HTTPS connections would be standard.

[th3rEsa]

Having the update checker download things from a prepared MITM server is probably not what you want your password manager to do.

[coth]

1 minute ago, Danielx64 said:

The big deal that someone could hijack the update system. Plus considering that this is a security application you would expect that something simple as having HTTPS connections would be standard.

HTTPS wouldn't save you in this way

[Danielx64]

1 minute ago, coth said:

HTTPS wouldn't save you in this way

Read this:

2 minutes ago, th3rEsa said:

Having the update checker download things from a prepared MITM server is probably not what you want your password manager to do.

 

[coth]

But no any passwords being transferred.

[UnclePritchard]

3 hours ago, Danielx64 said:

Wouldn't you think that a site like keepass have https on everything? IMO keepass can't be trusted due to this basic mistake.

ok agree but still.. you can install 100 layers of https and vpn and proxy and AV and firewalls or whatever.. there's still a risk;of course if they are too lazy doing the  basic stuff you'd want to avoid them.

[Dashel]

I find it more laughable that the source link fails SmartScreen filter. 

 

Ohnoes!

 

 

[Anibal P]

On 6/3/2016 at 5:54 AM, Danielx64 said:

Wouldn't you think that a site like keepass have https on everything? IMO keepass can't be trusted due to this basic mistake.

 

What does the updater have to do with your self hosted and encrypted DB? This is 100% a non issue, unless you happen to have some personal issue you should deal with on your own 

[Anibal P]

On 6/3/2016 at 7:38 AM, coth said:

 

On 6/3/2016 at 6:50 AM, Danielx64 said:

The big deal that someone could hijack the update system. Plus considering that this is a security application you would expect that something simple as having HTTPS connections would be standard.

 

On 6/3/2016 at 6:51 AM, th3rEsa said:

Having the update checker download things from a prepared MITM server is probably not what you want your password manager to do.

 

 

Unless this theoretical boogeyman somehow also got your master password, which is extremely unlikely, AND also got access to your DB, then this is being blown out of proportion for no good reason 

[th3rEsa]

A developer being unwilling to fix a security hole for revenue reasons can't be blown "out of proportion".

[Anibal P]

17 minutes ago, th3rEsa said:

A developer being unwilling to fix a security hole for revenue reasons can't be blown "out of proportion".

 It's not a hole, get over it, you have a vendetta, we get it, but it is WAY overblown by you and the one other person agreeing with you 

[FiB3R]

Thanks for the heart attack! 

 

The day I have to update 1029 passwords, is the day I... cry like a baby.

Edit: So this is only a potential risk if a "baddy" is already in your local network, or KeePass is checking for updates over public wifi? 

[th3rEsa]

4 minutes ago, Anibal P said:

 It's not a hole, get over it

Taking revenues more seriously than security does not matter for you unless you're directly affected?

[Ravensky]

Excel spreadsheet with a master password, keeps all my passwords just fine!

 

 

[Danielx64]

And breaking into an excel file is dead simple.

[+DonC Subscriber²]

The issue here is that users can be tricked into installing a malicious version of the software. The fact that the application itself opens the suspect webpage means that users will be less suspecting of it.

 

Using https for the update check would help this scenario because the attacker is highly unlikely to have a signed certificate for the correct domain (which is hardcoded in the application.)

[+mram Subscriber²]

On 6/2/2016 at 1:05 PM, th3rEsa said:

LastPass had security issues in the past, intruders were able to grab their database; which was one of the reasons I switched over to a self-hosted solution.

Cite source please.  As far as I have read, no data was ever acquired with any Lastpass security incident.

[notchinese]

The Keepass updater isn't even an updater, all it does is notify you and tell you to go to the website. The link in the application to the website appears to be hard coded so a MITM attack could not redirect to a spoofed webpage. The only way they could distribute malware with this is if they compromised the keepass website.

[Newinko]

It is lamentable to see that the reaction of some people here amounts to "yep, password manager susceptible to a man-in-the-middle attack, no biggie." If a developer in charge of a piece of security software thinks that an update system using unsecured HTTP is not a big deal, how secure do you think the rest of his code is?

 

Updating is an essential part of software packages nowadays and it needs to be painless and secure. The vulnerability here is not to be discounted. Sparkle had the same vulnerability a couple of years ago and it was a big deal.

 

What gets to me, though, is the developer's response, because it makes no sense. Lost revenue? HTTPS has minimal overhead, and ads can be funneled through HTTPS. I see the developer uses AdSense to monetize his website. AdSense fully supports HTTPS. So what keeps him from switching his website to HTTPS, like all of his competitors?

Edited June 5, 2016 by Newinko