![]() ![]() But there are technical solutions to this and the fact that he hasn't figured that out concerns me, especially since this is a security product he's making. I get the ads, it's not like the people who are using the software are paying for it and god forbid they donate to help the continued development. Make just the download page https, but put a page in front of it so he can keep serving his ads. He can have it both ways though, that's my point. ![]() HTTPS cannot prevent a compromise of the download server checking the digital signature does."Īnd skip fake webviews for crappy ad networks? no way users should check whether the file is digitally signed. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.Īn update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. You can also verify that you're getting a signed download, if you're worried. To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high - namely, it'd lose ad revenue. Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. An anonymous reader quotes this report from Engadget: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |