Password App Developer Overlooks Security Hole to Preserve Ads

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

Ads?

[TechyImmigrant]

I use KeePass2 on my iPhone. It doesn't push ads. So why is this a problem?

Re:Ads?

[NotInHere]

Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable over https as well, and if https was used on the website, the ads wouldn't be displayed. Or something like that:

https://sourceforge.net/p/keep... [sourceforge.net]

Re:Ads?

[Anonymous Coward]

Yeah, browsers are now by default blocking all http connection requests when browsing on https.

For example. If you had 20 images embedded on a page, and only 1 of those was being served via http, it would simply not show up. Browser usually changes an icon somewhere to let a poweruser know, and I believe you can see the block happen in the dev tool console of firefox/chrome.

The keepass one is more related to SEO rank dropping like a rock after switching to HTTPS and having to bid on https ads only.

Re:Ads?

[EvilSS]

Then why not put the updates on updates.keepass2.whatever, and enable HTTPS on that but not the root? Every major web server I know of would allow for that type of configuration. I mean, if he can't figure that out, what else has slipped through the cracks?

Re:

[EvilSS]

and skip fake webviews for crappy ad networks? no way

He can have it both ways though, that's my point. Make just the download page https, but put a page in front of it so he can keep serving his ads. I get the ads, it's not like the people who are using the software are paying for it and god forbid they donate to help the continued development. But there are technical solutions to this and the fact that he hasn't figured that out concerns me, especially since this is a security product he's making.

Re:

[TechyImmigrant]

and skip fake webviews for crappy ad networks? no way

He can have it both ways though, that's my point. Make just the download page https, but put a page in front of it so he can keep serving his ads. I get the ads, it's not like the people who are using the software are paying for it and god forbid they donate to help the continued development. But there are technical solutions to this and the fact that he hasn't figured that out concerns me, especially since this is a security product he's making.

Web security is a completely different problem space, set of programming languages, attack models, crypto algorithm options and collection of douchebags to deal with than writing a password application. I don't blame him for avoiding the utter crock of crap that passes for working in web security. I certainly avoid it. It's like the people in charge of the specs don't want helping and there are plenty of security problems where you can do good work without being undermined by CAs, prima donnas at the IETF,

Re:

[EvilSS]

We're talking about a pretty basic solution here, not PCI compliance audits.

Re:Ads?

[Anonymous Coward]

Because the keepass website doesn't host the updates. The software is hosted on sourceforge and that's where you're taken when you click the link to download the update. Keepass doesn't self-update. It will let you know if a new version is available, but that's all it does. It's then up to the user to go to the keepass website and download and install the new version if they decide to upgrade. And as stated before, those downloads are hosted by sourceforge and its mirrors which appear to serve the installation files via HTTPS already.

This seems to explain what's going on

[dfm3]

Yes, I RTFA. And the discussion thread. And the other linked discussion thread on Sourceforge. And it still took me a while to figure out what this was all about... though I finally found an explanation on this thread [ycombinator.com] which was linked to from a thread that was linked to from the thread in the third link:

Guest98123 5 days ago

I saw an instant 30% drop in revenue when switching my site to HTTPS in April. The implementation was done right, A+ rating from ssllabs, Google reindexed my main pages as HTTPS within a matter of hours, search traffic and overall traffic remained unchanged.

I poked around on my AdSense account to see where I was losing the revenue, since AdSense was still displaying the same number of impressions. It turned out I was seeing a 75% drop in CPC impressions, and AdSense was running low paying CPM impressions instead.

http://i.imgur.com/acy2k0u.png [imgur.com]

That's a graph of daily CPC impressions on my account. It's obvious when I switched to HTTPS. That was over a month and a half ago. It hasn't bounced back.

I'm faced with a difficult decision now; whether to go back to HTTP and inform the community we're going to a less secure system for increased ad revenues, or I need to accept a 30% drop in my yearly income, and hope the situation improves as more networks switch to HTTPS.

So it seems that, when using HTTPS, different ads are served. But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.

Re:This seems to explain what's going on

[Richard_at_work]

The problem is, Google wont talk to you about it - their decision is invariably final, so you are stuck with whatever their algorithm has decided. In his case, by making the site more secure Google have decided to put him on a lower revenue ad stream - there aint nothing he is going to be able to do to change that.

Re:

[KozmoStevnNaut]

That seems really strange, considering the massive boner Google has for HTTPS.

Re:

[Aighearach]

It "seems strange" because it offers better information than you thought you had. When facts disprove your beliefs, you can either change your beliefs, or disbelieve the facts.

Serving lower-paying ads to sites running HTTPS shows you how Google feels about HTTPS. They're an ad company. Whatever PR or outside-of-google information you used as the basis of your "boner" beliefs was clearly inaccurate.

Re:

[Anonymous Coward]

... But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.

Looks to me like he would rather serve what he knows are insecure adds because they have a higher payout. I call him scum. Sux, cause I use KeePass2. I have been avoiding recent updates because I always see the popup at inconvenient times. Now I will switch to a different PW manager.

Re:

[Luckyo]

Security of ads has nothing to do with what they're being served through.

Re:

[The-Ixian]

You call him scum.... really?

He could, you know... not have developed that app that you apparently find useful.

If I had 30% of my revenue disappear and the only way of getting it back was to go back to a less secure system... well, I would probably do the same thing that he did.

At the end of the day though, there are other password manager apps out there.

Re: This seems to explain what's going on

[Anonymous Coward]

Lick my shitty asshole, son. Why wont you fix your miserable fucking life?

Re:

[Anonymous Coward]

Ads on the website. Keepass runs on PC as well, to get to download new or update installer you have to go to an insecure site and download software to store your passwords. Not a good thing.

Re:

[cstdenis]

And what guarantees that the person who downloaded it and uploaded it to the repo got a safe copy? Unless the developer is putting it in the repo himself they are as vulnerable as anyone else.

Re:

[Anonymous Coward]

occasionally and somewhat randomly a bunch of us actually verify the signatures of the applications in DPKGs and RPMs. This is one of the reasons why RPMs default of keeping the original package + patch is so good. The more people that do this, the less easy it is to distribute bad binaries. Also generally the distros are quite careful in verifying checksums of packages they download.

Re:

[sexconker]

And where did you get the verification sig from? Did the developer meet with you in person and inject it into your brain?

Re:

[MrNiceguy_KS]

Not on Linux you don't, it comes from a trusted Ubuntu PPA, you don't need to visit any website to install keepass2. Windows and Android users are just shit outta luck doing it this way.

Android has nothing to do with this because: A) Android users are probably going to install and update through an App store, and B) This dev only works on the Linux, Windows, and OSX versions - the Android ports, (there's several,) IOS, Blackberry, etc... come from different developers.

Re:

[Sarten-X]

It is not for the base software functionality. It's for the optional upgrade check, which connects to the website and downloads a signed binary. If you're concerned about the integrity of the binary, compare the hashes [keepass.info] yourself.

Re: Network Access??

[Anonymous Coward]

Keepass doesn't download a signed or any other binary from any website.

It uses http to get a version.txt and if the number in that file differs from its version, it pops up a notice telling you an update is available on the website.

You need to manually do all the rest.

"Security researcher" doesn't understand security

[Anonymous Coward]

Listen, kid. Encryption is not a silver bullet. A bulk software download can be served just fine by verifying that the bits haven't been diddled with, without encrypting them. Do that properly and encryption is basically just a waste of cycles and in fact best avoided. As a supposedly smart guy, you ought to understand that.

Re:

[Sarten-X]

I'm sorry, sir, but this is the Internet. Your facts and reasonable analysis are unwelcome here.

Re:

[andymadigan]

Believe it or not but the US does have valid national security concerns that need to be dealt with so unfortunately the NSL and FISA programs are needed unless someone can come up with a better way to handle threats to national security.

The Stasi had a huge number of spies watching for dissident activity. A system like that would be more effective at protecting national security than one that focuses on digital communications. These people watched practically everything their neighbors did, and reported it to the state. Stasi agents would enter people's homes at will. Surely, that would make it easier to stop terrorism.

/s

Now do you understand that national security is not the only metric by which we measure a policy?

P.S. and yes, para

HTTPS is that hard to do?

[Todd Knarr]

I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

Re:

[F.Ultra]

That the upgrade tool doesn't already do this is actually the strange part in all of this.

Re:

[dave420]

And if the connection is MitMd to forge the version response, the download of a new binary over HTTP can also be forged, resulting in something clearly undesirable.

Re:

[F.Ultra]

It's still a upgrade-tool and it still does not check that the available versions are "correct". Of course since the first post he have now changed the tool to do just that so this is all moot but you are still wrong. Yes there is no auto-update tool but here is a upgrade tool just like I wrote to begin width, hardly ignorance my friend!

Re:

[tlhIngan]

I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable ove

Re:

[thegarbz]

that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS

You can't believe something to be true except for the one scenario you proposed which is actually the cause of the problems. :-)

He changed his web server to HTTPS and suddenly started getting different ads served which cut his revenue stream. Why, no one is sure yet. Maybe some specific ads couldn't be served over HTTPS but ultimately this isn't a client problem.

What he needs is two different virtual servers, straight HTTP for visitors to get served ads, and a HTTPS site to serve the download files.

Re:HTTPS is that hard to do?

[AmiMoJo]

They pay more for HTTP because browsers don't let them track users in as much detail with HTTPS.

Bullshit!

[Anonymous Coward]

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible.

It already is possible NOW, it's just that he decided he likes the ad bucks more than keeping his users secure by using the patch.
Glad I don't use any of his products, his attitude to his users sucks and he deserves to lose the lot of them.

Re:

[Aighearach]

I personally find it really hard to trust somebody on something as important and detail-oriented as security when they don't even know what an important, basic word like "possible" means. I naturally assume that when it comes to knowing what attacks against his product are "possible," he just is unable to do the analysis because he doesn't even know what the question is.

Developer is engaged now. Time Sensitive

[bobbutts]

The developer made a post 8 mins ago in this thread about the vulnerability.
https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398 [sourceforge.net]

Use KeePassDroid

[Zappy]

Use KeePassDroid, free and ad free, by Brian Pellin

Fixed, and apparently not a HTTPS issue

[rxmd]

The security issue seems to be fixed as of KeePass 2.3.4 and it looks like the discussion about HTTPS and ads is missing the point. From the website (http://keepass.info/help/kb/sec_issues.html#updsig [keepass.info]):

"There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.

First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.

KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.

The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.

The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.

Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."

Re:

[Aighearach]

The update check goes to the official web site

The implication was that if your ISP or their ISP or some ISP in between has a pwned router, then that can't really be guaranteed when using HTTP.

You admit you didn't understand what you were responding to, so how can you possibly know if it is a valid concern or not? Obviously, you have to understand what was said in order to evaluate the relevance. Maybe you don't worry about MITM attacks; some people do. Like the person you didn't understand. ;)

Bunch of FUD

[shellster_dude]

This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.

Re:

[aka_bigred]

FYI, This was actually my comment, didn't realize I hadn't signed in so was posted as "anonymous coward"

Agreed. I'm a KeePass2 user as well, so was VERY interested in this topic. Unfortunately, this slashdot story feels like unjustified smear clickbait as far as I can tell after reading the developer's side of things. It might be nice to have a clarification/update to the original post with the rest of the details, not just the sexy, incorrect TL;DR interpretation of the situation.

Re:

[WallyL]

You filled out the AC captcha? That always reminds me to click "Continue editing," back up, copy my text, log in, paste, and submit.

Re:

[Aighearach]

In short you'd have to be dumb enough to not notice ...

What if it turns out to be a known fact that humans are dumb? Are you seriously arguing that a threat vector is fake if it can only affect "dumb" people? I doubt very many security threats affect Vulcans, but Humans might have a broader need for technical protection.

Sometimes calling things names only discredits your analysis.

Advertising ethics

[Livius]

I understand that advertising has its place in a market economy, but I can't help but think that advertisers have gone completely insane. They've become stalkers and harassers, if not outright sociopaths, who only become more persistent, aggressive, and disconnected from reality each time they are rejected by the object of their obsession, and I truly think they must have many of the same mental health issues. There are a few rare adverts that make an effort to offer a minimum of entertainment value in exchange for your time and attention, but most display an astonishing sense of entitlement with the way they freely impose nuisance and other costs on their victims. And when the tactics turn out to be dysfunctional and counter-productive, they escalate the aggression rather than reconsidering their world view. They've become addicts who have long since stopped caring about the actual business reasons they are advertising in the first place.

Now they have reached a new level of anti-social behaviour with a new way of endangering their victims.

Just today I went to an office supply website and searched for a chair. In their enthusiasm for trying to blindly guess what else I might want to buy, they showed me dozens of items that were vaguely related to office furniture. They did not, however, show me a single item that was actually a chair.

And before anyone asks, no, I'm not suggesting that this is really comparable to the physical danger that a woman (or man) is in from a mentally deranged ex-boyfriend (or ex-girlfriend) who is stalking them in the criminal law sense. But advertisers are catching up.

So....

[Rick Zeman]

...if an ASUS auto-update delivers a KeePass update do two negatives make a positive?

Slashdot deserves negative-insightful mods

[shanen]

In my fuzzy recollection of years gone by, I think slashdot comments were rather more insightful. Also funny, etc.

In the example of this article, the higher level topic that seems basically ignored is why the economic model of KeePass has failed so badly. Even if he wasn't sincere about maximizing security, he has to be aware of the sincerity of the potential users of his software. Can you imagine that a security program is going to attract many new users after a debacle like this?

Maybe the old slashdot wou

Re:

[Aighearach]

In my fuzzy recollection of years gone by, I think slashdot comments were rather more insightful.

It seems that way to me too, but maybe I was just young and stupid and had lower expectations? There is no way for me to know without going back and reading back issues, and there is no way I'm going to spend time on that.

why the economic model of KeePass has failed so badly?

It hasn't, the developer would just make less money with HTTPS ads. He wouldn't stop making money. He'd just make less off this particular residual revenue stream, and he's not willing to milk it for less than the maximum.

Re:

[Rick Zeman]

"It-id." Tough, I know....

Actually not really fixed - URL not validated

[enriquevagu]

When the website is compromised with a MITM attack, the attacker can provide a (fake) download link which downloads a compromised binary from the compromised website, instead of the original binary from Sourceforge. In such case, the user does not know that the file should be digitally signed by a certain author. Instead, the attacker can modify the site to provide (fake) MD5 and SHA-1 hashes which validate the (fake) binary, or provide a self-signed binary. In particular, the problem is that the URL to the

Re:

[RevRagnarok]

The digital signature in question is not an external verification, but instead the one Windows does on the installer. So your UAC popup would also indicate it is a fake binary.

Re:

[enriquevagu]

I doubt it. The binary could be unsigned, and the (fake) website provide some instructions on ignoring the UAC notification but validating the SHA-1 hash, which would be a sensible way to do when you do not have (or pay) a code signing certificate. More info, for example: http://www.excelsiorjet.com/kb... [excelsiorjet.com]