www.keepass.info is not secured by SSL. Therefore, an attacker could spoof the download pages on the site to point to a compromised version of KP.
Now it's true that the download links point to SF pages which are secure, but that doesn't address the site spoofing attack, except if people are careful to validate that the download is really coming from SF. Does everyone who downloads KP know to do that?
How much would it cost to host keepass.info with an SSL certificate (at least the download pages)?
To spoof the KeePass download page is a very specific attack and if someone is that determined to attack KeePass there are plenty of other mechanisms that would be as effective. There is little we can do to protect against a specific attack.
Thanks for your comment, I'm not sure I agree though.
Firstly, if there are known mechanisms for attacking KP I think it would be good to share them - after all KP is a security program, and generally speaking openness is better for security. So I personally think such a discussion would be very beneficial. Or maybe someone already did a security analysis?
Secondly, the download page points to OpenPGP signatures for builds. This implies to me that someone has considered the risk of fake binaries, and thinks that publishing signatures is a way to protect against that. These signatures are signed by a key published on the site, but since the site server is unauthenticated I'm not sure exactly what this achieves.
Finally, I don't agree that there is little to do against this attack - what can be done is to host the site, or at least the relevant pages, protected by SSL. I asked what the cost of this would be. I'm happy if someone then concludes the cost is not worth the benefit.
To make a KeePass specific attack all you need to do is persuade someone to install rogue software and that happens all day, every day.
How does an SSL connection guarantee the signatures have not been replaced with false ones?
If the signatures have been replaced by false ones, they will fail verification against the public key published on keepass.info
SSL guarantees that the public key indeed comes from the domain keepass.info. This is what would allow me to trust the public key and use it to verify the signatures.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.