Re: [Passwordsafe-devel] Semi-automatic update option?
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-devel] Semi-automatic update option?
|
From: dk <dk...@gm...> - 2007-09-16 07:06:45
|
Actually, I would prefer this wasn't implemented (see PS below) but if it were, I am OK with Rony's restrictions and Greg's addition: ".... with an option (disabled by default) to automatically check for updates once a week" - although I would make the time period a user configurable number of days, weeks or even an option of whenever first started on a day. However, I don't think PWS should either display the URL to be able to download it or offer to do so! The user should just be informed that there is a new version and then they can download it as they would normally using whatever precautions they want/would normally use. David PS. Personally, I use a free utility from the web called Webmon (http://www.btinternet.com/~markwell/webmon/), where I set it up to go check for changes at all the sites I am interested it. I can use it to check single sites or all and to specify the exact start & end strings of the content to check i.e. latest version number of PWS! -----Original Message----- From: pas...@li... [mailto:pas...@li...] On Behalf Of ronys Sent: 15 September 2007 12:44 To: pas...@li... Subject: [Passwordsafe-devel] Semi-automatic update option? Hi, Users have been asking for an automatic update mechanism for PasswordSafe, so I've begun thinking on how to implement it: I've never liked applications that take the liberty of connecting a server without asking me, to check for updates and who knows what else. So here's how I'd go about it for PasswordSafe: - The Help->About dialog would have a "check for update" button. This button will initiate a connection (described in a minute) IF AND ONLY IF there's no "open" database, that is, there's no sensitive data in the application's memory. My main worry here is that an attacker can do a man-in-the-middle attack and find some kind of exploit (e.g., buffer overflow) to access and download sensitive data. - The update button will open a hardcoded URL, something like "https://passwordsafe.sf.net/latest.txt" This will have the version information for the latest & greatest, and a URL for downloading it. - I'm wondering if it's worth adding signature verification capability, so that the downloaded version can be verified as authentic. On one hand, this is easily subverted if the attacker replaces the victim's original version with one that fakes the validity check, on the other hand, if the attacker can do this, then the attacker can already do what he wants with the user's data, so the validity check is the least of his worries... I'd be very happy to get comments/criticism/suggestions on the above. Cheers, Rony ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Passwordsafe-devel mailing list Pas...@li... https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel |
