Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Advertising Cellphones Security

Password App Developer Overlooks Security Hole to Preserve Ads (engadget.com) 96

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.

An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."
This discussion has been archived. No new comments can be posted.

Password App Developer Overlooks Security Hole to Preserve Ads

Comments Filter:
  • I use KeePass2 on my iPhone. It doesn't push ads. So why is this a problem?

    • Re:Ads? (Score:5, Informative)

      by NotInHere ( 3654617 ) on Sunday June 05, 2016 @03:47PM (#52255343)

      Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable over https as well, and if https was used on the website, the ads wouldn't be displayed. Or something like that:

      https://sourceforge.net/p/keep... [sourceforge.net]

      • Re:Ads? (Score:5, Informative)

        by Anonymous Coward on Sunday June 05, 2016 @04:16PM (#52255521)

        Yeah, browsers are now by default blocking all http connection requests when browsing on https.

        For example. If you had 20 images embedded on a page, and only 1 of those was being served via http, it would simply not show up. Browser usually changes an icon somewhere to let a poweruser know, and I believe you can see the block happen in the dev tool console of firefox/chrome.

        The keepass one is more related to SEO rank dropping like a rock after switching to HTTPS and having to bid on https ads only.

      • Re:Ads? (Score:5, Insightful)

        by EvilSS ( 557649 ) on Sunday June 05, 2016 @04:39PM (#52255611)
        Then why not put the updates on updates.keepass2.whatever, and enable HTTPS on that but not the root? Every major web server I know of would allow for that type of configuration. I mean, if he can't figure that out, what else has slipped through the cracks?
        • Re:Ads? (Score:4, Informative)

          by Anonymous Coward on Sunday June 05, 2016 @10:37PM (#52256971)

          Because the keepass website doesn't host the updates. The software is hosted on sourceforge and that's where you're taken when you click the link to download the update. Keepass doesn't self-update. It will let you know if a new version is available, but that's all it does. It's then up to the user to go to the keepass website and download and install the new version if they decide to upgrade. And as stated before, those downloads are hosted by sourceforge and its mirrors which appear to serve the installation files via HTTPS already.

    • by Anonymous Coward

      Ads on the website. Keepass runs on PC as well, to get to download new or update installer you have to go to an insecure site and download software to store your passwords. Not a good thing.

  • Listen, kid. Encryption is not a silver bullet. A bulk software download can be served just fine by verifying that the bits haven't been diddled with, without encrypting them. Do that properly and encryption is basically just a waste of cycles and in fact best avoided. As a supposedly smart guy, you ought to understand that.

  • I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

    • by tlhIngan ( 30335 )

      I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

      Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable ove

    • that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS

      You can't believe something to be true except for the one scenario you proposed which is actually the cause of the problems. :-)

      He changed his web server to HTTPS and suddenly started getting different ads served which cut his revenue stream. Why, no one is sure yet. Maybe some specific ads couldn't be served over HTTPS but ultimately this isn't a client problem.

      What he needs is two different virtual servers, straight HTTP for visitors to get served ads, and a HTTPS site to serve the download files.

    • by AmiMoJo ( 196126 ) on Monday June 06, 2016 @07:26AM (#52258459) Homepage Journal

      They pay more for HTTP because browsers don't let them track users in as much detail with HTTPS.

  • by Anonymous Coward

    To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible.

    It already is possible NOW, it's just that he decided he likes the ad bucks more than keeping his users secure by using the patch.
    Glad I don't use any of his products, his attitude to his users sucks and he deserves to lose the lot of them.

    • I personally find it really hard to trust somebody on something as important and detail-oriented as security when they don't even know what an important, basic word like "possible" means. I naturally assume that when it comes to knowing what attacks against his product are "possible," he just is unable to do the analysis because he doesn't even know what the question is.

  • by bobbutts ( 927504 ) <bobbutts@gmail.com> on Sunday June 05, 2016 @04:00PM (#52255447)
    The developer made a post 8 mins ago in this thread about the vulnerability.
    https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398 [sourceforge.net]
  • Use KeePassDroid, free and ad free, by Brian Pellin

  • by rxmd ( 205533 ) on Sunday June 05, 2016 @04:43PM (#52255623) Homepage
    The security issue seems to be fixed as of KeePass 2.3.4 and it looks like the discussion about HTTPS and ads is missing the point. From the website (http://keepass.info/help/kb/sec_issues.html#updsig [keepass.info]):

    "There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.

    First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.

    KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.

    The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.

    The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.

    Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."

  • Bunch of FUD (Score:5, Informative)

    by shellster_dude ( 1261444 ) on Sunday June 05, 2016 @04:44PM (#52255627)
    This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.
    • In short you'd have to be dumb enough to not notice ...

      What if it turns out to be a known fact that humans are dumb? Are you seriously arguing that a threat vector is fake if it can only affect "dumb" people? I doubt very many security threats affect Vulcans, but Humans might have a broader need for technical protection.

      Sometimes calling things names only discredits your analysis.

  • Advertising ethics (Score:5, Interesting)

    by Livius ( 318358 ) on Sunday June 05, 2016 @05:45PM (#52255841)

    I understand that advertising has its place in a market economy, but I can't help but think that advertisers have gone completely insane. They've become stalkers and harassers, if not outright sociopaths, who only become more persistent, aggressive, and disconnected from reality each time they are rejected by the object of their obsession, and I truly think they must have many of the same mental health issues. There are a few rare adverts that make an effort to offer a minimum of entertainment value in exchange for your time and attention, but most display an astonishing sense of entitlement with the way they freely impose nuisance and other costs on their victims. And when the tactics turn out to be dysfunctional and counter-productive, they escalate the aggression rather than reconsidering their world view. They've become addicts who have long since stopped caring about the actual business reasons they are advertising in the first place.

    Now they have reached a new level of anti-social behaviour with a new way of endangering their victims.

    Just today I went to an office supply website and searched for a chair. In their enthusiasm for trying to blindly guess what else I might want to buy, they showed me dozens of items that were vaguely related to office furniture. They did not, however, show me a single item that was actually a chair.

    And before anyone asks, no, I'm not suggesting that this is really comparable to the physical danger that a woman (or man) is in from a mentally deranged ex-boyfriend (or ex-girlfriend) who is stalking them in the criminal law sense. But advertisers are catching up.

  • ...if an ASUS auto-update delivers a KeePass update do two negatives make a positive?

  • In my fuzzy recollection of years gone by, I think slashdot comments were rather more insightful. Also funny, etc.

    In the example of this article, the higher level topic that seems basically ignored is why the economic model of KeePass has failed so badly. Even if he wasn't sincere about maximizing security, he has to be aware of the sincerity of the potential users of his software. Can you imagine that a security program is going to attract many new users after a debacle like this?

    Maybe the old slashdot wou

    • In my fuzzy recollection of years gone by, I think slashdot comments were rather more insightful.

      It seems that way to me too, but maybe I was just young and stupid and had lower expectations? There is no way for me to know without going back and reading back issues, and there is no way I'm going to spend time on that.

      why the economic model of KeePass has failed so badly?

      It hasn't, the developer would just make less money with HTTPS ads. He wouldn't stop making money. He'd just make less off this particular residual revenue stream, and he's not willing to milk it for less than the maximum.

  • When the website is compromised with a MITM attack, the attacker can provide a (fake) download link which downloads a compromised binary from the compromised website, instead of the original binary from Sourceforge. In such case, the user does not know that the file should be digitally signed by a certain author. Instead, the attacker can modify the site to provide (fake) MD5 and SHA-1 hashes which validate the (fake) binary, or provide a self-signed binary. In particular, the problem is that the URL to the

    • The digital signature in question is not an external verification, but instead the one Windows does on the installer. So your UAC popup would also indicate it is a fake binary.

      • I doubt it. The binary could be unsigned, and the (fake) website provide some instructions on ignoring the UAC notification but validating the SHA-1 hash, which would be a sensible way to do when you do not have (or pay) a code signing certificate. More info, for example: http://www.excelsiorjet.com/kb... [excelsiorjet.com]

Genius is ten percent inspiration and fifty percent capital gains.

Working...