Kee v3.1 browser extension released

#1

The highlights, as listed in the update release notes when your browser upgrades to the new version:

  • Various improvements to form detection, entry matching and auto-filling entries
  • Limited the number of fields that the Kee icon gets added into
  • Fixed several issues that prevented the Kee icon in a field from being seen correctly
  • The Kee icon in the toolbar is now briefly animated when entries are available for saving
  • Improved per-site configuration feature
  • Added buttons for opening your password manager to the main panel
  • We no longer save empty fields to your password manager
  • Workaround a Firefox bug that causes the main panel to appear empty sometimes

Some specific changes are discussed in more detail below. Also look out for the new version of KeePassRPC which will enable further improvements for those of you using KeePass as your password manager.

As usual, this version will be available first for beta testers and get rolled out to everyone else in approximately 2-4 weeks time.

Less aggressive Kee icons (in form fields)

The Kee icon will now only be inserted to a maximum of 4 fields that are strong matches for the contents of the matched entries. In edge cases involving entries with many more fields than others on the same website, some relevant form fields will no longer get a Kee icon included but you should see one in a nearby field and this change won’t affect the accuracy of the fill operation when you select a matched entry.

As always, you can use the main panel “Matched login entries” button or Ctrl-Shift-2 to invoke auto-fill if you can’t see the icon in the field you want to fill.

More aggressive Kee icons (in the browser toolbar)

It’s a fine line between making sure you’re aware of when Kee can help you and leaving you alone to get on with your life. Some recent user testing has confirmed that for nearly everyone the current approach is too “quiet”. In an attempt to find a better balance, we’ve added a new option to highlight more obviously when Kee can save a password for you.

On Google Chrome this is a nice subtle animation but unfortunately Firefox doesn’t support subtle. In any case, if you’re a Kee expert and prefer the current silence, just disable the feature in the add-on options.

3 Likes
#2

What does this mean? It loads the KeePass window into the panel somehow?
More importantly: is there a good reason (missing api for example) for raising the compatibility to v60?

I’m on the 56 branch (via Waterfox) for the foreseeable future. Should I install 3.1?

#3

In the main panel, there are two new buttons. One each for Kee Vault and KeePass. When clicking on those buttons, your password manager will open and become focussed. The main panel then closes (as is required for all browser extensions after clicking on a button).

v60 has been required since Kee v3.0 - for reasons of missing and broken APIs in earlier versions.

If you can’t upgrade beyond v56, you will be unable to use any current or future version of Kee but it’s up to you when/if you upgrade your browser. There are no known security problems with the latest Kee 2.x version, although it will never be maintained so obviously the risk of problems will increase with time, as when running any outdated software.

1 Like
split this topic #4

2 posts were merged into an existing topic: Mozilla plugin signed

#5

I was aimed at signing on as this could be very useful, but security concerns hold me back. The fact is, if you’re storing my vault in your space, on your machines, despite how well it’s encrypted I’ve just given you the safe, and I I have to give you a way to open it by proxy or not. You having posession of it is a straight up no-go. KDB files for alot of people hold their whole life in there. You can’t honestly expect to be arrogant enough and skim the surface of encryption in description, without even sharing where your machines are, what cloud(s), what security measures you have in place and so forth. The vaults are the beginning - what about iptables and edge firewalls, selinux and chrooted areas, how about how you’re implementing SSL, your webservers, how you’re encrypting local perhaps ephemeral storage of these vaults, how you protect the keys, how you monitor your machines and balancers, theres a thousand factors. But it really doesn’t matter. Everything eventually gets cracked…all versions of TLS besides 1.2@high are out, many because they quickly or over time became weak and vulnerable, your ciphers have to be strong as possible, but I don’t see mention of them or at least a shorthand reference, you don’t mention 2FA/3FA, and so on, or anything about the backend. I think you will find (or have found) that you cant get a mass crowd to adopt this. It’s like saying hey, I provide security for your home - I will facilitate you accessing it securely. I just need your keys to all doors, which I will keep at my place, and your code for your alarm device. You think anyone would really be up for that? Maybe I’m wrong. But ciphers and protocols will get knocked, and turn weak, exploits in all applications will happen, and we will evolve forward but it’s a game of cat and mouse. And there’s intervals where things become vulnerable that unless you’ve got a NOC for your set of cloud resources 247 you’ll be open at some points. And KeePass is tough but not forever. And if you’ve got the key in proximal area that’s even worse. There’s a reason KeePass is local storage…because it can hold the keys to your whole life and you choose how to protect your assets of which you own and control. I think anyone with an inkling of computer security concerns would balk at this thing. Not to mention you do a trial which is a complete turnoff, at a price that’s not really reasonable. Of course you don’t work for free, but the model sucks. And I hate coming upon a product with functionality that may match what I need and seeing the Download Trial now for 2 weeks! 95% of the time I’m gone. A one-time fee with a trial period with full functionality for 1 month minimum should be it. And a reasonable fee, maybe annual of $49. Even that’s high considering half your code is emulating or copied from other free plugins of which there are many. I dont mean to be so harsh, but the fact that youre defending storing other people’s vaults rather than issuing encrypted streams which can call a keypass api with authentication that can hash/obfuscate a key/password and access 1 entry and 1 only at a time based on a matching pattern to the website or something similar, smacks of a poorly laid out roadmap. KeePass may lack open APIs for something like that, or the ability to get close to it, but keep in mind - you’re basing a not inexpensive adaption of KeePass on tech that many do already for free, and all the while your prime asset is free too. Good luck.