HaveIBeenPwnedKeePassPlugin as part of the Supply Chain Security

[ravage84]

Hi Ralph

First of all thank you for this nifty plugin.

This issue here is not a code issue but more of a theoretical and organisational one.

Since credentials, passwords, API tokens etc. stored in KeePass files are highly sensitive and thus quite valuable for hackers, preventing any security incidents is absoutely essential.

Now, when one uses your plugin, especially in a professional environment, your plugin or better said you, your GitHub account and the plugin repo become part of the potential attack surface.

Because of this, I was wondering if you are aware of this and what security measures have you in place to prevent things like:

• Taking over your GitHub account
• Manipulation of the plugin's code
• Injecting malicious code in the release artifacts

For example, do all of the developers who have write access to the plugin have 2FA activated in GitHub? Or is there another developer besides you with admin access to the repo in case of an incident?

Greetings from Basel Marc

[kapsiR]

Hi Marc, thanks for the kind words and for bringing this up! These are good questions and I can understand your concern.

The status quo:

• I'm the only person with write access right now
• Yes I'm using 2FA (for almost every service that supports it)

What we probably can improve here:

• Make the build more reproduceable with additional scripts and/or a GitHub action (right now it's a git hash in the informational version attribute)
• Introduce signatures (authenticode / gpg)
• It's always possible to monitor this repo for changes on your end
• It's always possible to build the artifacts on your end

Your thoughts?

[ravage84]

The status quo: I'm the only person with write access right now Yes I'm using 2FA (for almost every service that supports it)

That's a good start.

It might be worth covering the state of the security of the plugin on the repo. A short note in the README, for example. This would directly address the conerns of others, like me.

[ravage84]

It's always possible to monitor this repo for changes on your end It's always possible to build the artifacts on your end

Fair point. Everybody who uses a dependency of any kind (tool, library, framework etc.) should do their homework, first (as far as possible & sensible).

But I'm really questioning whether the current plugin system of & for KeePass is up to the requirements of the time.

For example, I checked the code of your plugin, before installing it.

Though since KeePass is about highly sensitive data, I don't think the current simplistic plugin page is sufficient.

Security. Most of the plugins listed on this page are developed by different, independent authors. The KeePass team cannot check all plugins for bugs and malicious code.

I'd argue that the current setup & statements like the one above keeps a lot of people from using any plugins because the uncertainty & risks are too high.

Actually, it has kept me from doing so up until now.

So, I think in the end the best way to improve the security of the KeePass ecosystem was a curated list of plugins, down to each release.

Like Mozilla has for the addons of Firefox. For instance, one security checked and one unchecked addon:

https://addons.mozilla.org/firefox/addon/adblock-plus/ https://addons.mozilla.org/firefox/addon/passbolt/

This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.

https://support.mozilla.org/kb/add-on-badges?utm_content=install-warning&utm_medium=referral&utm_source=addons.mozilla.org

This would bring the necessary certainty to have confidence in the plugins offered.

[kapsiR]

The status quo: I'm the only person with write access right now Yes I'm using 2FA (for almost every service that supports it)

That's a good start.

It might be worth covering the state of the security of the plugin on the repo. A short note in the README, for example. This would directly address the conerns of others, like me.

Here you go 😉

[kapsiR]

Regarding your arguments about the plugin ecosystem of KeePass in general, I recommend to start a discussion in the official forums.

You are right that there is room for improvement, but don't forget there is no company like Mozilla that can afford security checks of the plugins others provide.

I close this as resolved. Feel free to ask any further questions...