Users who don't enable any remote connection and only stay on localhost for both client and server should be fine, others could be in trouble. Attackers who are able to capture this encrypted traffic and send requests to the server can manage to decrypt captured passwords. The implementation in KeepassHttp is not secure though. The communication between KeePass and the browser plugin is encrypted using AES 256. I think KeePassHttp is a very useful tool but when I looked deeper I found some issues. I was looking into starting to use KeePass as the password manager and first thing I searched for was browser integration.
0 Comments
Leave a Reply. |