undefined | Better HN

0 pointsmywittyname7y ago0 comments

IIRC, the update was over HTTPS, just the "check for new version" call was to HTTP.

0 comments

1 comments · 1 top-level

According to https://keepass.info/help/kb/sec_issues.html, it doesn't auto-update - it just displays that a new version is available. Enabling a man-in-the-middle to display a fake update notification, when there are fake versions of Keepass floating around and the user could easily slip up (and the MITM could guide the user towards a fake version) still feels like a hole, albeit a minor one.

It has however been resolved:

> the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.

j / k navigate · click thread line to collapse