Closed dploeger closed 4 years ago
Thanks for adding it! Let's keep it and relevant discussions here. There were some attempts to make a security audit, but from what I know, they never completed. Meanwhile it's good that KeePass (KeeWeb is a port of KeePass) has some audits, including format audit.
Meanwhile it's good that KeePass (KeeWeb is a port of KeePass) has some audits, including format audit.
That is correct, but our usage of it might me flawed or our handling of storage or whatnot. It's still relieving to have such strong background! (That was why I decided to use KeePass in the first place)
Website https://keeweb.info/ is very beautiful and there are mentioned many great features of KeeWeb, except... the most important thing when dealing with passwords - no information how secure it is!
KeePass has some advanced security settings that should prevent script kiddies from easy stealing passwords. For example: Process Memory Protection or Enter Master Key on Secure Desktop (Protection against Keyloggers).
The big concern for me is that KeeWeb is in fact website. I know that nowadays websites could be extremely complicated, but in the end - it is still plain text interpreted by browser. When you open password database - it is fully accessible via browser, so... it is text, right? So the question is - how secure it is? How secure are KeeWeb memory allocation, cache/temporary files? It is everything cleaned as soon password database is closed?
I know that when someone have access to PC - it is only his/her knowledge and determination to steal password even from KeePass, but it must to be as difficult as possible. Steal passwords from website based application seems much easier than do it from native application like KeePass...
I'm always feeling a bit strange when using app (https://app.keeweb.info/ ) but do it anyway in rare occassions, from my mobile. ;-)
in the end - it is still plain text interpreted by browser
I'm not sure what is meant by "plain text". Nowadays a website is an application running in browser. This framework provided by browsers has its own limitations, for example you cannot clear the memory if you copy the password to clipboard, you cannot change memory permissions, and so on. A password to kdbx file (what's also called "master password"), as well as its hash, is not stored in memory in plaintext (it is stored, but xor'ed) when you enter it. Other passwords are also not exposed, unless they're copied or edited. If you have access to tab's memory, you will be able to extract some sensitive data from it, however it would be a serious exploit. Of course if we're running in a browser tab, we don't have access to protected memory, keychain, and other resources provided by OS. Whether to trust the isolation provided by browser, it's an open question for everyone, there's no universal answer to it.
It would be nice to assess the risks and make sort of white paper to simplify the decision process for end users (exactly what this issue is about).
For those who came across this issue and would like to make it happen: the donation button can be found on top of this repo.
@antelle do you have quotes on how much a security audit would cost? I'd be happy to donate towards it but it would help to ground the amount in reality :)
To be honest, no idea. For example, TrueCrypt collected $70.000, which is comparable to prices I've seen in different companies with regard to project size, but insane if you think about it from our perspective. I guess, a quality security audit with going deep into details would cost around 30..50k, but I may be very wrong here.
I'll try to get more info about pentests for open source software by contacting the guys from the wonderful OWASP project. Maybe there's an organization sponsoring pentests for OSS or making them affordable.
If not, maybe they can tell me about realistic prices for proper pentests and we could start a crowd funding initiative.
There's also Mozilla's Secure Open Source Fund, maybe it's worth going through that process too?
Okay, I did some research and have some leads thanks to the awesome guys over at the german chapter of OWASP:
And as @BurntBrunch already said, Mozilla's also offering this.
@antelle as the core maintainer, I guess, it's your decision what path to choose. In my opinion we might try to apply for both Mozilla and Hackmanit, because one more pentest can't really hurt and to have multiple source say, Keeweb's secure is a major benefit.
So how's it gonna be? π
@dploeger thanks for this! OWASP: Not sure if it makes sense to perform an audit without a public report (I guess, it would be the most interesting part of it for our users), but if she's willing to do that, I'd like to collaborate and fix the findings. About β¬5k, this can be an achievable goal for our crowdfunding, but let's see how it goes. Hackmanit: I've sent my application there, let's see if we get anything. If the project is accepted, I'll comment here. Cure53: I see that it was quite long ago and there's a deadline mentioned there; I would assume, they don't do it anymore. Mozilla: Took a look on the question list in their application, and for most of them the answer is close to "no". I guess, they're looking for another kind of projects, more well-known and widely used tools like Firefox. I would doubt they will accept KeeWeb, but we can try of course.
Awesome. I'd suggest waiting for Hackmanit, then try Mozilla and then maybe look into Crowdfunding options.
Update: I got a response from Hackmanit, they accepted my application, in a few weeks they will decide if the project will be selected for audit or not. I'll post another update about it.
Awesome! Thanks for the update.
Update from Hackmanit:
We have selected your project for our pro-bono penetration testing programm. Our plan is to submit you the report within the next 2-4 weeks.
π
Awesome! π πΊ
Once the report is available, I'll post here, but I'll reserve a couple of weeks for me to fix any critical vulnerabilities before publishing it.
Update: the penetration test is complete, I've received a report from Hackmanit with some vulnerabilities that are related to:
I'm working on fixes now, they should come in the next release, and after some time I can share more details (if I'm allowed to, I'll ask them). Hackmanit will publish the report in 90 days (16th July 2020).
Published v1.14 with fixes of penetration test findings, the report will be revealed once the final version is available. I believe, this issue can be closed now. Normally penetration tests should be conducted on a regular basis, but with an open-source app it doesn't seem to be possible. Thank you @dploeger for a great find! π
Oh, thank YOU, @antelle for doing this. Thatβs pretty awesome.
Hackmanit folks have retested the vulnerabilities and confirmed that v1.4.2 contains all necessary fixes and recommendatoins. They've also sent the final version of the report, which will be published in a couple of weeks.
The report is published: https://www.hackmanit.de/images/download/2020-04_Open_Penetration_Tests_KeeWeb.pdf
That's great!
Wow! Awesome. @antelle Does the project get some kind of badge for that? If not, we should at least put an info on the website and the readme, that the version was tested.
Can we ask Hackmann again after some time to retest a new version?
No, I don't think there's any sort of badge, but they will post about the pentest next week. I've added it to our FAQ, since the report is already public, will think about other places where it can be relevant. I'm going to make a section in the readme with thanks and contributions, this can be included there too.
As Keeweb obviously is a security-sensitive application, a penetration test of the app by a third party is recommended.
This should be done regularly for stable versions and is surely a very large and expensive task, but I'm adding this issue for reference nonetheless. Maybe some kind user likes to fund or even do the pentest himself, if they are in that line of business.