Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Trust level of ports and plugins?

Help
2014-04-17
2014-05-27
  • Todd W. Powers
    Todd W. Powers
    2014-04-17

    I have been using KeePass for several years now, but I have never installed any plugins or run any alternative ports of KeePass. I would like to synchronize my passwords with my Android device, but I am concerned about trusting any plugin or Android port of KeePass.

    How can we be reassured that these ports/plugins aren't collecting our logins and covertly sending them to someone? Do they have to be vetted in some way? What happens when they release an update? Do they have to be re-vetted?

    I am concerned about this vulnerability of ports and plugins. What assurance do we have that our information remains safe when using these third-party products?

     
  • wellread1
    wellread1
    2014-04-17

    KeePass has been in existence for over 10 years and is widely trusted and highly regarded.

    However there is no standard for auditing or vetting open source software, including KeePass, plugins, ports and packages. A common presumption is that other competent developers occasionally review the source code and/or compile it and would report malicious code if they found it. The average user must trust the developer and decide to use a product based on its reputation, or audit and compile the source code themselves.

    The trust relation for plugins, ports and packages (products) is separate from KeePass. It is between you and the product developer. The KeePass developer does not have the resources to vet all products and product revisions. Some comments about plugin security can be found at http://keepass.info/help/v2/plugins.html.

    Note: Several popular plugins are written by the KeePass developer, with whom you already have a trust relation if you use KeePass.

    My understanding of the Google play store is that automated vetting for major abuses is performed on applications when they are uploaded. Mal-ware has gotten through in the past but Google has been diligent about removing applications found to be malicious.

     
    Last edit: wellread1 2014-04-17
  • Todd W. Powers
    Todd W. Powers
    2014-05-27

    Thank you wellread1 for the eloquent reply. Yes. I understand that the trust in KeePass is implicit and I don't have any concern about it. I guess I was hoping that all plugins and "officially supported" alternate versions had been vetted in some way, by the authors of KeePass, before being listed as an official plugin.

    Honestly, the "vetting" process would need to go further than simply making sure the plugin wasn't stealing passwords. It would need to ensure that the plugin was written with a certain level of competence to be trusted in handling users' passwords. (i.e. using SSL connections, not sending plain text passwords over the wire, etc)

    These security related concerns are most likely above many competent developers' radar and might actually be neglected by many reviewers of the source code. I've worked with a fair number of developers over the years, competent as they may be, that do not typically have the frame of mind to be thinking about every possible way that a solution might be exploited. For many projects this type of scrutiny is not necessarily required. For KeePass however, it most definitely is.

    The problem I see is that the open source community is no longer comprised of a limited set of trustworthy developers as it was in years past. These days, many children with a malicious nature have the knowledge to create and distribute software. Not to mention foreign governments and hacking organizations. These malicious pieces of software may just be quietly collecting information in the background and nobody would be the wiser.

    As KeePass is more of a "consumer" product, there are lots of people who probably use KeePass, who have no clue about auditing and compiling source code themselves. It would be beneficial if the KeePass developer(s) put together a plugin submission system, whereby code would be reviewed and approved.

    I have done development for other open source software systems that provide just that... A way to develop plugins, and a vetting process for submitting your plugin for approval. Of course, you are free to distribute it yourself directly, but if you want it listed in the master project's "approved plugins", you have to submit it to them for approval.

    I believe the open source community as a whole would benefit from this sort of submission system for any software that provides the ability to create "plugins" or "extensions" of any kind. It's too bad that SourceForge doesn't provide the automation mechanisms required so that project developers could choose to use this feature if they wanted a pre-built, semi-automated system for people to submit plugin/extension source to be vetted and officially approved by the project developer.

     
  • wellread1
    wellread1
    2014-05-27

    I guess I was hoping that all plugins and "officially supported" alternate versions had been vetted in some way, by the authors of KeePass, before being listed as an official plugin.

    Certifying the quality and safety of plugins and alternate versions is not a trivial undertaking. It would require substantial resources from the single developer. I don't really see how it would be in the developer's best interest to lend his credibility and trustworthiness to third-party submissions unless he had the resources to thoroughly audit submissions and revisions.

    Besides the resources required, the distributed nature of plugin authors work products means that for all intents and purposes, plugins and alternate versions are "side loaded". They are not provided from a single controlled source that can be monitored constantly (e.g. a play store). Such a resource might be nice for open source software, but it is beyond the scope of this project.

    On the other hand, providing a page(s) that provides links to plugins and alternate versions is a service of considerable benefit to KeePass users.

    P.S. I agree "that the open source community as a whole would benefit from this sort of submission system [centralized vetting & distribution] for any software..."

     
    Last edit: wellread1 2014-05-27
  • Paul
    Paul
    2014-05-27

    A source code audit system would be fantastic, but that would involve time and therefore money, neither of which are in surplus at KeePass HQ. Moving KeePass to a commercial model would potentially make this possible, but I can't see it happening.

    cheers, Paul