-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KeeWeb Security: Is it still safe to use Keeweb in 2023? #2077
Comments
Id say the core is safe, but the dependencies could be vulnerable. If there's a risk it would be a sideloading-attack or such on the clientside. If you're worried, you should switch to KeePassXC which i compatible. You have to sync the database yourself though. I think theres bigger risk that stuff like signing-certs or syncronization and stuf fthat requires active maintance will stop work first.. or OS-compat to be outdated. |
I absolutely agree and I was expecting this kind of answer. This is exactly why I use Keewebs core only, without any dependencies which is already inconvenient. Thank you. I really appreciate your reply.
|
Though the dependencies could be vulnerable, you do have the option of forking it and then running dependabot against your fork, merging whatever dependabot flags, then building from there. Overall, that should be a reasonably low effort way to mitigate supply chain vulns. A fork that just comprises SCA automations & releases would be amazing to see. I do think it's unfortunate that the project is no longer maintained, and #2022 hasn't seemed to gain any apparent traction, whether that's due to a lack of applicants, or a lack of quality applicants, or a lack of time to actually handover to the new maintainer. Related: Can anyone suggest a good Windows client alternative? On MacOS I would probably turn to Strongbox (I don't mind their pricing model), same for iPhone if I had an iPhone. The only gap is Windows - I'd be happy enough to keep using keeweb, (especially via a fork that includes SCA mitigations) but I wonder if there's a maintained alternative that has a more "native" UX. |
In fact, I've gone ahead and soft-forked this & enabled dependabot, I'll respond to merge requests by dependabot and try to publish releases whenever I do that. |
@strazto will you also do some releases next time ? |
Oh lol dependable is actually annoying as hell so I got distracted, I'll have another crack |
I was checking the status of #2022 and just by chance also saw this ticket. Now I'm wondering if instead of a fork this branch could be maintained (even if only for these dependency updates). 🙃 |
I offered to help maintain like a year ago or more but got no response. I'm not in the EU so maybe that's why. |
@strazto I just found this which looks promissing: https://github.com/OneKeePass/desktop Although, it seems limited at the moment with no Dropbox integration and it doesn't like my existing db when I tried to load it just now 😢
|
v1.19 will fix any vulnerabilities that existed in older packages that are currently in-use. The beta version right now is using mostly updated packages, aside from Electron, which got a slight bump, but we need to re-organize the framework in order to update Electron any further. I went through the list of known vulnerabilities before I began updating, and most of them are related to a compromised development environment, or users who have their own system compromised. And obviously the developer environment vulnerabilities won't affect the end-user unless you're building your own release of KeeWeb. As long as your system itself isn't compromised; you should have no issues maintaining a secure KeepWeb database. |
Good to see the project has picked up new maintainership. Thank you for addressing this @Aetherinox |
Happy New Year!
Since there has been no development and the project is on hold and probably EOL - What about the KeeWebs security? Is it still safe to use KeeWeb for Mac/Windows in 2023?
Any replies are highly appreciated.
The text was updated successfully, but these errors were encountered: