404 Tech Support

KeePass 2.34 update brings https update check

KeePass, my preferred password manager, released version 2.34 this weekend. The changelog includes:

New Features:

The version information file (which the optional update check downloads to see if there exists a newer version) is now digitally signed (using RSA-4096 / SHA-512); furthermore, it is downloaded over HTTPS.
Added option ‘Lock workspace when minimizing main window to tray’.
Added option ‘Esc minimizes to tray instead of locking the workspace’.
Added Ctrl+Q shortcut for closing KeePass (as alternative to Alt+F4).
Added UIFlags bit for disabling the ‘Check for Updates’ menu item.
The installers (regular and MSI) now create an empty ‘Plugins’ folder in the application directory, and the portable package now also contains such a folder.
Plugins: added support for digitally signed version information files.

Improvements:

Plugins are now loaded only directly from the application directory and from any subdirectory of the ‘Plugins’ folder in the application directory.
Improved startup performance (by filtering plugin candidates).
When closing a database, KeePass now searches and deletes any temporary files that may have been created and forgotten by MSHTML when printing failed.
CHM help file: improved high DPI support.
Various code optimizations.
Minor other improvements.

Bugfixes:

(None).

The point worth discussing with this update is the first new feature. The version information file is now digitally signed and the file downloaded to compare versions is now downloaded over HTTPS.

The attention to this particular issue came from a bug report in early March that found the update check to happen over HTTP, leaving the software susceptible to a man-in-the-middle attack. If you controlled a WiFi AP that somebody utilized, you could intercept the traffic and provide the information that an update is available. The update checker, however, does not download the update. The KeePass website is over HTTP as well, so the bug report speculates that the update download could also be intercepted and manipulated. For a security-oriented utility trusted with protecting important accounts and passwords, this is a bit concerning.

A thread on the KeePass SourceForge forums discussed the issue and the developer stated that the issue would not be fixed due to cost to implement. That stance has now apparently been reversed as the fix has been implemented with the latest version of KeePass Professional Edition, both the installer and the portable versions.

The controversy surrounding this implementation seems to have been ‘making a mountain out of a mole hill’ and it is still recommended to check the file’s hash and AuthentiCode signature on the file through File Explorer, Properties, and the Digital Signatures tab.