From fe81d6a2cc421fa89662c1f9995779f3e86491f7 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 13 Jul 2017 14:04:58 -0700 Subject: [PATCH] Remove note about KeePassHTTP I am helping to edit a guide to using KeePassXC, and found that the author had inserted a warning: "If your machine is compromised, an attacker can intercept the communication between your browser plug-in and KeePassXC." I believe that was motivated by the warning text here. As noted in https://github.com/pfn/keepasshttp/issues/258 and https://github.com/keepassxreboot/keepassxc/issues/147, communicating via HTTP with localhost is safe, since an attacker who can intercept localhost communications can just read your passwords directly. Since localhost-only is now the default mode in KeePassHTTP, I think this note just creates confusion and unnecessary fear among users. --- project.html | 9 --------- 1 file changed, 9 deletions(-) diff --git a/project.html b/project.html index dc20528..014931d 100644 --- a/project.html +++ b/project.html @@ -35,15 +35,6 @@
Additional Features

For a full list of new features and changes, have a look at the full KeePassXC changelog. -

-
A note about KeePassHTTP
-

KeePassHTTP is not a highly secure protocol and has certain flaws which allow an attacker to decrypt your - passwords if they manage to intercept communication between a KeePassHTTP server and PassIFox/chromeIPass over a - network connection (see here and here). KeePassXC therefore strictly - limits communication between itself and the browser plugin to your local computer. As long as your computer is - not compromised, your passwords are fairly safe that way, but use it at your own risk! -