Kee/KeePass authorization request

#1

A couple things …

  • When I have Kee open in Chrome/Chromium, and am using KeeVault, I open KeePass in order to open my KeePass DB (for authenticating in Thunderbird) and Kee starts prompting me to authenticate the connection to KeePass, but no matter how many times I click on ‘deny this request’ a new authentication request pops up.

  • Again, with Kee and KeeVault running in Chrome/Chromium every time I login with credentials stored in KeeVault I get a popup notification asking me if I want it to be save the creds to Kee/KeeVault, even though they are already store in there.

  • Something completely different … I was showing someone KeeVault and they asked me “How do you know?” as in … how do I know, or how can I verify, that all my creds are actually stored in a securely hosted KeePass DB and that they are not accessible to the developer of this project.

#2

I admit I hadn’t imagined this scenario of KeePassRPC being installed and used with Thunderbird while Kee Vault is used in the browser. I’m not sure of the best way to resolve this in the long-run but for right now, you should be able to effectively disable the detection of KeePass from Kee by changing an advanced setting on the Kee Options screen. Look (towards the bottom) for the option for configuring the “TCP/IP Port” and just change it to a different number (probably adding or subtracting 1 is the best approach). You might have to restart the browser (but maybe not). Just try not to forget you’ve done it - being an advanced setting it’s not always the first thing to come to mind when you or anyone else is trying to troubleshoot an issue in future :smiley:

Does this happen on all websites or just some? It sounds as though something has changed (e.g. enabling or disabling a checkbox to remember credentials) but possibly on occasional websites they might make some sort of hidden change. It’s not something I see myself very often so if it’s widespread for you we can probably get to the bottom of it and fix it for at least most cases.

It would be worth trying in Kee v3.1 too if you haven’t already (beta testing at the moment so Firefox only) just in case this helps, although I’m not expecting widespread changes to this behaviour across many websites.

It’s a great question that I wish more people would ask when considering a password management solution. Kee Vault is proudly Open Source so you can view all the code that runs on your browser to verify that it is not designed to send any sensitive information to the Kee Vault team. You can read more about that and find links to the code at https://www.kee.pm/open-source/

For a non-technical person, it’s a bit hard to go from that to a “100% verified” state because you’d need to look into details like the actual code that is sent to your browser from the internet (or maybe as a short-cut, at least use the browser development tools to inspect the data that Kee Vault sends to/from the internet). If you’re not technical enough to do this yourself, you effectively have to trust some combination of the other technical people that care about such things and have investigated for themselves, and that I’ve been doing this sort of thing for a long time so the chances of anything malicious or any serious errors being present in the code is lower than if I had just appeared out of nowhere.

#3

Thanks for the response.
For the 2nd issue - it doesn’t seem to happen with all sites. I will have to test more and keep track of when it happens and get back to you.