The vulnerability that allowed man-in-the-middle attacks on the popular KeePass password manager is reportedly set in the new KeePass 2.34 update.
The attacker could successfully use the technique used by older versions of KeePass to check for new updates. The application did not verify the information that came from the KeePass server nor did it use a secure transport protocol to pass the update to the user's system.
So the attacker could manipulate the information and deliver a malicious copy of KeePass to the end user.
So it is currently recommended that you download the new version of KeePass 2.34 from the project website or from the links below and not automatically from your application.
The new KeePass 2.34 version fixes the issue of update checks by sending version information via HTTPS, and signing them digitally. So today it will accept only version information files that have a digital signature.
All KeePass executables are signed, and it is quite easy to verify that the digital signature is correct. To verify the signature, open the KeePass directory on your system, right-click on any executable archive, επιλέξτε Ιδιότητες από το μενού, και δείτε τις "ψηφιακές υπογραφές."
Η υπογραφή θα πρέπει να αναφέρει "Open Source Developer, Dominik Reichl". Αν δεν το αναφέρει διαγράψτε άμεσα τα αρχεία και σκανάρετε τον υπολογιστή σας με κάποιο αξιόπιστο antivirus.
We should mention that the application is one of the few of its kind that we prefer, as it stores the codes access encrypted, locally and not somewhere on the internet.
KeePass 2.34
Portable:
Supported operating systems:
Windows 98, 98, 2000, 2003, Mono (Linux, Mac OS X, BSD, ...).
Prerequisites:
Microsoft .NET Framework ≥ 2.0 (already included in Windows Vista and higher) or Mono ≥ 2.6.
