Bug #8121

Consider disabling KeePassX' autotype feature

Added by intrigeri 2014-10-14 15:21:38 . Updated 2017-05-22 17:29:40 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2014-10-14
Due date:
% Done:

100%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Password Manager
Deliverable for:

Description

The paper Password Managers: Attacks and Defenses by David Silver et al. has found serious security issues with all tested password managers that implement an autotype feature. We should investigate if KeePassX’s version is affected, and if so consider disabling it somehow.


Subtasks


Related issues

Related to Tails - Bug #8789: Keepassx autotype doesn't work with German keyboard layout Rejected 2015-01-24
Related to Tails - Feature #9555: Include a pinentry GUI that's well integrated within GNOME Rejected 2015-06-10

History

#1 Updated by sajolida 2014-10-15 16:24:06

Currently, AutoType is the only way to paste a password in Pinentry in
Tails (see KeePassX documentation), for example, for an OpenPGP key. So
disabling the AutoType would introduce a regression in that aspect.

#2 Updated by intrigeri 2014-10-16 01:30:50

> Currently, AutoType is the only way to paste a password in Pinentry in Tails (see KeePassX documentation), for example, for an OpenPGP key. So disabling the AutoType would introduce a regression in that aspect.

Urgh. Can the AutoType feature be enabled on a per-application basis? In our case, that would be either “everything but the web browsers” or “nothing but pinentry”.

#3 Updated by matsa 2014-10-22 21:24:28

> Can the AutoType feature be enabled on a per-application basis?

When adding a new entry in Keepassx, it’s possible to select the target window (based on the window’s title), by selecting “Tools” (on the bottom-left corner) then “Auto-type: Select target window”

#4 Updated by intrigeri 2015-01-27 08:07:26

  • related to Bug #8789: Keepassx autotype doesn't work with German keyboard layout added

#5 Updated by intrigeri 2015-07-12 03:20:48

  • Assignee deleted (intrigeri)

#6 Updated by segfault 2016-02-02 13:44:09

  • related to Feature #9555: Include a pinentry GUI that's well integrated within GNOME added

#7 Updated by anonym 2016-03-03 23:12:37

  • Description updated

#8 Updated by anonym 2016-03-03 23:15:23

  • Assignee set to anonym
  • Target version set to Tails_2.3

I’ll read the paper. From an initial very fast skim, I think that the methods used by the affected password managers in the paper are much more advanced than KeePassX’s simplistic approach, and that actually might save it — it’s method should be no less insecure than typing the password yourself.

#9 Updated by dkg 2016-03-09 21:04:03

as i understand the paper from a quick skim, it’s primarily about autofill attacks. If you can avoid having your password manager auto-populate forms that appear to be password entries, then you should avoid most of these concerns.

I haven’t used keepassx, but does it actively target all web forms as they appear? or does it only activate when you explicitly trigger it? if it’s the latter, the attacks listed in section 5.1 in this paper are not relevant. the (weaker) remaining attacks in section 5.2 are still relevant, but require much deeper integration in the browser than i think keepassx is capable of doing.

do not trigger keepass to enter your passwords into an insecure webpage (or any other insecure network resource)!

#10 Updated by dkg 2016-03-09 21:07:20

sajolida wrote:
> Currently, AutoType is the only way to paste a password in Pinentry in
> Tails (see KeePassX documentation), for example, for an OpenPGP key. So
> disabling the AutoType would introduce a regression in that aspect.

newer versions of pinentry (since 0.9.6) now support traditional copy/paste, if you want that. I think this means that they shouldn’t require “auto-type”. jessie only has pinentry 0.8.3, though.

If you’d like a backport of pinentry to jessie-backports, feel free to file a wishlist bug with the debian BTS, i don’t think that should be a difficult thing to accomplish.

#11 Updated by segfault 2016-03-09 21:25:03

  • Subject changed from Consider disabling KeePasX' autotype feature to Consider disabling KeePassX' autotype feature

dkg wrote:
> If you’d like a backport of pinentry to jessie-backports, feel free to file a wishlist bug with the debian BTS, i don’t think that should be a difficult thing to accomplish.

Yes! A backport of pinentry would be great! We just decided in the monthly meeting that we want to use the pinentry from stretch, which allows pasting. The ticket is Bug #11099.

#12 Updated by anonym 2016-03-09 22:33:07

dkg wrote:
> as i understand the paper from a quick skim, it’s primarily about autofill attacks. If you can avoid having your password manager auto-populate forms that appear to be password entries, then you should avoid most of these concerns.
>
> I haven’t used keepassx, but does it actively target all web forms as they appear? or does it only activate when you explicitly trigger it? if it’s the latter, the attacks listed in section 5.1 in this paper are not relevant. the (weaker) remaining attacks in section 5.2 are still relevant, but require much deeper integration in the browser than i think keepassx is capable of doing.

This is was also my conclusion. Like I said above, KeePassX uses a simplistic method: when auto-typing it will just switch to the target window and after a short delay (so the GUI becomes ready) then simulating keypresses (xdotool-style) for the password. KeePassX has no way of focusing on the password entry itself, so the user must already have focused on it, or the keypresses will “leak”. So KISS saves the day it seems, at least w.r.t this paper.

Note that KeePassX also supports entering the username, which then requires focusing the username entry, and that a TAB will focus the password entry. Again, KISS should save the day.

Do you agree? If so I’ll close this ticket, concluding that we can keep auto-type.

> do not trigger keepass to enter your passwords into an insecure webpage (or any other insecure network resource)!

Sure, but it would be no unsafer than users entering the password manually in these situations. In fact, using KeePassX should be better when there’s no safe (HTTPS/whatever) option since it encourages unique passwords.

#13 Updated by intrigeri 2016-03-13 11:54:04

  • Status changed from Confirmed to In Progress
  • Assignee changed from anonym to dkg
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA

(Apparently anonym asked Daniel’s opinion.)

#14 Updated by anonym 2016-05-08 05:10:26

  • Target version changed from Tails_2.3 to Tails_2.4

#15 Updated by anonym 2016-06-08 01:34:55

  • Target version changed from Tails_2.4 to Tails_2.5

#16 Updated by dkg 2016-06-08 09:40:40

  • Assignee deleted (dkg)

I’m not sure what i’m supposed to do with this ticket. pinentry 0.9.7-5~bpo8+1 is already in jessie-backports. I’m unassigning myself because i don’t understand what is necessary for this task. If you want to clarify what you want me to do, i’m happy to have it reassigned back to me.

#17 Updated by sajolida 2016-06-16 09:59:33

  • QA Check changed from Ready for QA to Info Needed

Assigning back to anonym for clarification as he was the previous assignee.

#18 Updated by BitingBird 2016-06-27 08:01:30

  • Assignee set to anonym

You forgot to assign anonym it seems

#19 Updated by intrigeri 2016-07-18 07:18:06

  • Target version changed from Tails_2.5 to Tails_2.7

#20 Updated by anonym 2016-09-27 03:15:01

  • Assignee changed from anonym to dkg

dkg wrote:
> If you want to clarify what you want me to do, i’m happy to have it reassigned back to me.

In my comment in response to you (Bug #8121#note-12) I expand a bit on why I think none of the attacks are relevant to KeePassX, and even why it’s no worse to use on “unsafe” websites compared to manually typing. If you agree, I think this ticket can be closed and we leave autotyping enabled, otherwise I’d like a clarification of what I’ve misunderstood.

#21 Updated by bertagaz 2016-11-17 17:38:34

  • Target version changed from Tails_2.7 to Tails_2.9.1

#22 Updated by anonym 2016-12-14 20:11:19

  • Target version changed from Tails_2.9.1 to Tails 2.10

#23 Updated by anonym 2017-01-24 20:48:45

  • Target version changed from Tails 2.10 to Tails_2.11

#24 Updated by anonym 2017-03-09 14:00:28

  • Target version changed from Tails_2.11 to Tails_2.12

#25 Updated by dkg 2017-03-14 01:55:36

anonym wrote:
> dkg wrote:
> > If you want to clarify what you want me to do, i’m happy to have it reassigned back to me.
>
> In my comment in response to you (Bug #8121#note-12) I expand a bit on why I think none of the attacks are relevant to KeePassX, and even why it’s no worse to use on “unsafe” websites compared to manually typing. If you agree, I think this ticket can be closed and we leave autotyping enabled, otherwise I’d like a clarification of what I’ve misunderstood.

I think i agree that if keepassx is manually triggered by the user (as opposed to scanning each window or browser tab for forms it should fill in and aggressively filling in those forms without the user’s explicit permission), then the autotype feature is probably fine. feel free to close this report.

#26 Updated by intrigeri 2017-03-20 14:03:46

  • Assignee changed from dkg to anonym
  • % Done changed from 50 to 60
  • QA Check deleted (Info Needed)

dkg provided the info we requested.

#27 Updated by RLW99 2017-03-28 16:25:58

thanks

#28 Updated by anonym 2017-04-12 09:13:26

  • Status changed from In Progress to Resolved
  • Assignee deleted (anonym)
  • % Done changed from 60 to 100
  • QA Check set to Pass

#29 Updated by sajolida 2017-05-22 17:29:40

  • Affected tool set to Password Manager