|
|
|
|
|
|
by mywittyname
1961 days ago
|
|
|
The "security issue" you're talking about was that the URL used to determine if there is a new version available was HTTP-only. People felt like this was a security concern because it was susceptible to a MitM attack. The author felt like this was a none-issue because Keepass did not self-update at all, the URL was only used to inform the user of a new version. So a successful MitM attack would merely inform the user of a new version. New version of the software were served via mirrors and digital signatures for all versions were made available.
Standard security practice for the era was to verify the digital signatures of software before installing it because so much software was served by third parties. Also, this all happened before HTTPS was ubiquitous (the patch to force version checks to use HTTPS came in 2016). Most sites still served traffic over regular HTTP, with only logins and purchase pages using encryption. |
|
|