At the time the download links on the non-official Keepass.com site seemed to point back to the official sources, but I noted of course that could change in the future, or could even be different depending on who visits the site.
I ended up submitting an objection to the TrueCrypt trademark application to the USPTO, but I'm not sure how much good it will end up doing. I was not able to pay a lawyer the several thousand dollars they wanted to draft the letter themselves.
I have been working on a fork of TrueCrypt/VeraCrypt and wanted to be sure that before releasing the code that I am following all the license terms and giving proper attribution, as TrueCrypt has a somewhat non-standard open source license.
TrueCrypt has an old trademark issued back in 2007 but which expired after 10 years in 2017. As part of the licensing review, I discovered there is a new trademark application filed August 25, 2018 by Julien Clairet under a company named "DATA ACCESS" based in Paris, France.
I discovered [that] "keepass.com" is also apparently registered to Julien / DATA ACCESS.
There is a publication period when new Trademarks are announced and an opportunity to contest the validity of the claim. The new "TrueCrypt" trademark was published on February 20, 2019, and you have 30 days from the time that the mark is published to file any opposition.
I am preparing to file a response to USPTO.
First of all, a huge thank you from everyone that loves TrueCrypt for doing this.
How long will it be before you know if they issued or rejected the trademark? Is there anything else that can be done now that the 30-day deadline has passed? Would you mind posting a link to the trademark application?
For anyone confused by this Twitter sound bite, the story is that there are 2 main sites from which you can download KeePass Password Safe (the free, open-source password manager):
- https://keepass.info/ is the official site, which ironically uses a suspicious-looking .info top-level domain, but is in fact the legitimate source
- https://keepass.com/ is an unofficial site which the Twitter article is reporting as spreading malware, but has somehow obtained the more legitimate-sounding .com top-level domain
And by the way, both of these sites come up on the first page of a Google search for "KeePass".
I have the same issue with Putty. I was helping a client debug an issue with an appliance they bought from my company (me on their computer, them watching over my shoulder) and asked if I could download Putty on their machine. They said yes, so I went to "https://www.chiark.greenend.org.uk/~sgtatham/putty/" and clicked the download link and they flipped out. It's too fishy, they said, must be a malicious site. I went to putty.org instead (not affiliated with Putty), and clicked the "download putty" link and it redirected back to the other site, and from that point they refused to let me download Putty.
We then spent 3 hours getting approvals for me to get my own laptop on their internal network so I could use ssh from my Macbook. I felt bad because my company charges like $300/hr for our consulting services, so we wasted nearly $1000 because the main Putty download site seemed too suspicious for the client to be comfortable with.
I know Putty is legitimate and I know it's a free product, but appearances do matter. Presentation does matter. Although I do blame Microsoft a bit for not shipping an SSH client for so long.
When I used to install Keepass on a new computer, I would Google "keepass" and then hesitate a moment before clicking the .info domain. The best solution I could come up with was to start using KeePassXC instead.
That's just a business problem, not any different for domain names than anything else. I have a great idea for a business, it's a small building that sells pizza. Unfortunately I can't name it Pizza Hut because that's already taken. I want to start a supermarket and my last name is Wall, I can't exactly call it Wallmart. I want to start an electronics supply company, I can't call it Tesla. I have to come up with other names.
I want to create an app that helps people relax. Sorry, Calm is taken, I need a different name. I want an app that's like a book of faces... Facebook is taken. I need a different name.
If someone else already has the domain name you want, you can register under a different tld, but you have to be aware that this conflict will exist and confusion will be a problem.
KeePass is an open source project. There's no "letting" involved: they don't have the domain name. Please be more careful about accusing people of malfeasance.
You could have written a good version of this comment that said something like "KeePass should rename, that's in the best interests of its users". Try to write constructively here.
To turn this thread into something more constructive: it might be a good idea to report it to https://safebrowsing.google.com/safebrowsing/report_phish/ to make sure it gets Google's attention, and hopefully warns people browsing the site.
At least a little bit of criticism should go to Google Search as well. Isn't it their mission to show users useful search results? Is there any user that would prefer the fake malware site over the legitimate site? KeePass is a popular piece of software, not an obscure item to search for. And it seems like it's been going on for many months, plenty of time to make Google's algorithms respond (if they wanted to).
One of the incredible perks of getting your phishing/malware site on the .com tld of your target website is the amount of people who will visit your site directly without even going through google.
Also, in my experience, Google is very receptive to and decisive on phishing and malware complaints. I've worked on websites that are constant phishing/malware targets and Google moved quickly with us on getting that "this is a malicious website" splash page into Chrome.
Since this has been going on for a year, I'd be shocked if the Keepass people even tried. Not even a mention of it on their homepage to help their users pick the legit one?
My take: a considerable amount of users see the .com on SERP, and click on it over the .info. Google algorithm then increases the ranking of the .com even more because that's where users go and stay (i.e, they don't bounce back to the search).
> Not owning the .com, letting this happen, and then letting your users get fucked for a year is so incompetent that it's less of a reach to assume the Keepass devs are simply in on it.
> If you're buying a .info or adding "Origin" after your name, then it's time for a rebrand. You scrape together pennies in your stubbornness at the massive expense of filling the coffers of the bad actors and screwing your users with confusion. Especially for security software.
So, apparently, according to you, not owning the .com equivalent to your non-.com domain means you're incompetent. Has it ever occurred to you that not everyone is from the USA? If you're supposed to own the .com domain anyway then why ever bother with non-.com domains? All non-.com domains are obsolete according to your reasoning, including .net and .org and CCTLDs.
Also, this is non-commercial, free as in beer, FOSS. Where was your donation to the project?
Just to be clear, you quoted me enumerating a sequence of three things that together informed my judgement, yet you tried to refute my judgement by only responding to one of those things and thus mischaracterized my criticism in that process.
Also, I think indifference is a better accusation here than incompetence.
If I had to summarize my point of view across the various posts I've made here, it's that I think they are failing all the good folks who made the mistake of looking up Keepass after hearing that it would help them take an important step of cyber security in their life, getting fooled by an imposter, and getting pwned.
Well, that is to keep it brief because there's not much to refute on the other two 'things'...
> letting this happen, and then letting your users get fucked for a year
Is out of their control. They're not responsible for Keepass.com. That's both simple and obvious.
Apparently, if they put up some kind of banner on their website it'd be all cool and dandy?
Do you feel the same about uBlock Origin?
Let's get this straight. That uBlock Origin warns users that ublock.org is fake is a service. They do not owe you that service. They owe you two things: jack and squat.
You sound like you're entitled, but I ask you again: what did you contribute to make the problem go away? Did you donate money to the problem? Did you contact the project?
I agree with feanaro, users should not trust .com over any other tld and if many of them need to touch a hot stove to let this sink in then so be it. Also, I don't think anything that has any cost at all should be expected of any open source project unless you are paying them.
I think that's a very sad and hostile way to treat people not as tech savvy as you.
You talk about how users should do their own research, yet nobody at Keepass could even be bothered to update their homepage to help users make the disambiguation. Has Keepass done anything about this over the last year?
Keepass' last release was 8 days ago. What even is the point of pushing another commit until you've at least done the bare minimum to help your users? What even is the bedrock purpose of this software at that point? Isn't the goal a password manager to help good folks avoid getting pwned by bad guys in the first place? Yet they now have zero skin in the game when bad guys use their image to pwn their own users?
I just see bizarre incongruence. Like working hard to ship releases because that's the dedication your users deserve, gosh darnit, while your website has been compromised and serving different binaries for years.
>I think that's a very sad and hostile way to treat people not as tech savvy as you.
To some degree, agreed. To some degree, this is the way the world works and protecting them earlier increases the risk that they'll make a big mistake later.
Potayto, potahto. The underlying system is still so messed up that safety here is literally impossible, and there's no alternative.
I don't mean to be harsh that is just how people learn. It is something false about the world many people believe to be true and people learn from experience. I'm not sure the target audience for Keepass is anyone but tech savvy individuals either, I certainly don't know any non tech people that use it only LastPass and others like it.
I touched a hot (wood) stove when I was a kid by the way.
You know, on second thought, you might have won me over: maybe Keepass' real gift to the world's security consciousness is giving the lay man his first taste of getting pwned.
How is putting information on the homepage of the correct site going to help people who have gone to the wrong site? Pretty much nobody is going to go to both sites to see which looks most "legit". At best they'll assume that the sites are mirrors of each other, at worst they won't even notice two in the search results.
I think it may be a stretch for a semi-technical user of keepass to realize that they have been pwned because they downloaded a client from keepass.com. They may think they were phished via email or some other avenue, so I don't think it's much of a guarantee that letting this happen would lead to users thinking 'Ah, that's what I get for trusting a tld! I'll be wiser next time.' I think it is more likely that an individual will react with 'ugh, hacked again, how did they guess my passwords!?'
What do you propose they do? Purchasing the .com for well-known software is prohibitively expensive, especially for FOSS projects. You could attempt a UDRP, but that’s also prohibitively expensive.
To suggest that inability to do anything—or even indifference, as you characterize your argument in a later comment—implies they’re “in on it” is simply illogical.
There’s no evidence of KeePass developers being involved here, and it’s quite unlikely that they are. Short of using their own money—thousands of dollars—to hire a lawyer, there’s not much they can do.
Rebranding doesn’t really make sense. People are going to keep searching for and suggesting KeePass for a long time after the rebrand. It’s too established for them to pull that off; they’d end up driving even more people into the hands of malicious actors. When people search for KeePass, being unaware of the rebrand, they’ll inevitably stumble upon nefarious websites purporting to be KeePass. It just amplifies the problem.
Malicious actors buy domain names all the time to pressure organizations or companies into paying thousands of dollars for a domain name like company.sucks. It wouldn't surprise me if malware developers pivoted to blackmailing by damaging good reputations via their malware. A clean $5000 check is better than skimming $10 off of hundreds of credit cards or McDonalds accounts.
I'm not sure I'm buying into this .com elitism. In the end, it's a TLD like any other and its presence does not guarantee that your trust is warranted, as this very case shows. It cannot replace actual verification and vetting of the sources you're installing software from.
An acknowledgement of the situation on the official site would be nice, though.
Well, it is TLD elitism. Sometimes acquiring a domain is not an option. Sometimes you can lose domains. What then?
Nothing can replace common sense and critical thinking when installing software from the internet. In the end, everything on the internet is potentially untrusted and blindly looking for ".com" is just a dumb strategy if your goal is not to get pwned.
I really cannot bring myself to consider not acquiring <software_name>.com a failure of the software package creator. As I said, if they are aware of a currently on-going phishing attempt that is masquerading as their own software, a prominent tip on their actual website would be nice.
The namespace is finite and not every website can be expected to be under .com. Also, the trustworthiness of a TLD is itself a fad, a fashion that changes over time. See: the popularity of .io.
What a great world in which any video that accidentally includes a radio playing a song is immediately taken down, but this sort of thing can go on for years.
And this is why you buy the .com domain for your company, instead of some weird one like .info, .io, or .pizza: most people assume that's where they'll find your company. If someone's squatting it, you can buy it from them, or just come up with a new nonsense word for your company.
Maybe developers are getting used to the `getQwerpy.io` convention, but I don't see it catching on more broadly.
Change the name. Especially if you're a security oriented service and not having the dot com opens you up to this sort of, I guess its phishing? .info and all are basically active red flags, especially for a security oriented project...
Honestly the Keepass maintainers have had enough basic issues with website security (see how long they held out on https for update downloads), that I use KeepassXC even on Windows these days. I figure there's enough eyes on the kdbx 4 protocol that it's safe, but the keepassxc team feels better organised.
According to https://keepass.info/help/kb/sec_issues.html, it doesn't auto-update - it just displays that a new version is available. Enabling a man-in-the-middle to display a fake update notification, when there are fake versions of Keepass floating around and the user could easily slip up (and the MITM could guide the user towards a fake version) still feels like a hole, albeit a minor one.
It has however been resolved:
> the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
For an unregistered .com. Most desirable .com's have been squatted, and the squatters want five to six digits for the domain. The business model deserves a fiery death, yet it thrives.
Fair point. Most of my domains have not been .com's but when I've registered I've checked if the .com was available and for the most part they have been.
So cities recently have been toying with vacancy taxes that target rich people using prime real estate speculatively or who wish to reserve a unit without anyone having lived there for cultural reasons - maybe that's the sort of tactic we need to examine with domains, some sort of creative usage bar that utilizes distinctness from other domains to detect squatting and levy a fee.
At scale, distinguishing a squatter's markov-generated WordPress landing page from a genuine pre-product startup in stealth mode sounds like a Hard Problem. On the other hand someone with 10,000 domains and zero business plans is obviously a squatter. There's probably a way to draw the line that's viable to enforce.
Seems like it would be fairly trivial to find any instance of a phrase similar to "this domain for sale" on any page and flag it for human intervention. Because that's how squatters get buyers, right, by indicating the site is for sale? Am I missing something obvious?
Additionally, as a web developer, when I see squatting on a domain I want, I will be absolutely livid. Give me a place to report squatters and I'll happily help you crowd-source what was previously a Hard Problem.
That's actually kind of genius. Domain squatting is highly automated, so in most cases it's not hard to figure out when a domain is squatted rather than simply inactive. Taxing squatters 10% of their sale offer every year would make them think twice.
It could even be done through the registrars: for every year you hold onto a domain, the registrar withholds another 10% if/when you sell it. Legitimate companies and people wouldn't suffer, since they would want to keep their domains more or less forever. Those looking to flip domains would have to consider their diminishing returns.
Disclaimer: I'm the founder/maintainer for AppGet (appget.net)
Issues like this were one of the main reasons I started working on appget.
I died a little bit inside every time I saw a friend google an app and click on the first link (usually an ad) or click through the installation wizard as fast as they possibly could and not unchecking the toolbar, bundle, bonus, whatever else.
AppGet solves these issues from a couple of different angles,
1. we only allow packages hosted on the official vendor, maintainer websites.
2. All package manifests are simple YAML files on GitHub where they go through a PR/Review before getting merged.
3. For your _tech normal_ friends or family, they can search for apps in https://appget.net/packages/ and click the install button, and we do the rest. No command line needed.
4. We disable all bundled app installations by default.
Back in the days, when Google was still somewhat new, I tended to laugh a bit inside when my parents and other non-techies would search Google for a domain rather than to go in the address bar. They'd search for Ford or Ford.com, rather than just put Ford.com in the address bar.
Though I quickly realized it wasn't such a bad idea at all, for exactly the reasons such as this. Even I mess up domains sometimes, so I usually tend to use Google instead except for the ones I know by heart (or have bookmarked).
This only really works if you have an ad-blocker, or at least know to ignore the ads. Otherwise google will frequently end up frequently serving ads for a malicious product (most commonly seen for crypto products)
This is a super gnarly one to me because it is a PASSWORD MANAGER. Literally they could just supply a password manager that also sends all the passwords to a third party.
I get it open source, hard to keep the lights on, etc etc but I feel like if you take the steps of getting into a such a security heavy space, then you have to be able to keep up your end of the bargain.
In this case it might not mean registering every variation of keepass (keepass.com probably useful though) but it certainly means working aggressively with search engines to get things flagged, send push notifications to your users warning them of it, etc etc
Because people have put their trust into you and you owe them something for that.
better to shut down a project and walk-away for example, then leave it up, never update it, have a vulnerability get exposed, and have everyone using your product get owned
The companies even sell products, for which everybody directly pays, and then owe even to the millions of users nothing once they have sold the product (actually sold the "license"). I've even had to buy the exactly same product (the license) more than once, every time I've changed the platform or even just changed the computer.
So if I publish anything as open source, free for anybody to use, I own even less to anybody with whom I don't have a paid contract for support.
Your answer to the problem of malicious actors squatting domains is to shutdown the legitimate one? Did I read that right? keepass.com won't stop serving malware even if the keepass project has been abandoned. Your solution just makes the problem worse.
Been using the KeePassXC[1] community fork for about three months now. The transition was smooth; it's pretty much identical to KeePass or KeePassX. Has TouchID integration for MBP which is super useful. Plus the source is available on Github and is actively maintained.
We can fly rockets to space and then land them on barges at sea, cure diseases, use technology to reduce global hunger, create synthetic organs, and trade trillions of dollars of money across oceans in microseconds, yet we can't figure out which of two computers in an online card catalog is real and which is going to empty your bank account.
* private space missions were financed from the sale of a predatory business (paypal)
* government space missions originated from the cold war arms races (that continue to this day)
* a few diseases are curable, many aren't. pharmaceuticals profit more from treatment than cure, however. Some ailments such as anaphalaxis and diabetes that are mostly treatable have been receding into "uncured/undertreated" territory because phama keeps raising the prices of insulin or epi pens.
* much of hunger, say in Africa, can be easily treated if we could find a way to keep warlords and corrupt gov's from stealing the aid, but our technology isn't helping us very much (not saying we shouldn't keep trying, but tech is of no use for this problem)
* synthetic organs sound great (if you need one). maybe this I concede is a victory for (bio)tech.
* trading money is really just trading information. Once the infrastructure is in place, it's a trivial matter.
deciding who gets to post content online is a much harder problem to solve. If you could make one call to google to have them de-listed from search, every company/political faction would be doing this to thier competitors/rivals.
https://hackertimes.com/item?id=19311856
At the time the download links on the non-official Keepass.com site seemed to point back to the official sources, but I noted of course that could change in the future, or could even be different depending on who visits the site.
I ended up submitting an objection to the TrueCrypt trademark application to the USPTO, but I'm not sure how much good it will end up doing. I was not able to pay a lawyer the several thousand dollars they wanted to draft the letter themselves.