Notes from a disappointed ex-user

Hello there,

I read the upgrade notice today in my browser regarding Kee 3.0 with great disappointment. After trawling through many posts here, I see most of my concerns have been voiced already. But I thought I’d add my voice to the list of dissatisfied (ex-)users.

  1. People using KeePass already are the sort of person who don’t want a cloud-based offering like 1Password or LastPass. It’s surprising that you’re re-branding your product that has been serving these kinds of customers to be, by default, a cloud-enabled offering. It doesn’t matter that the data is also stored locally, that it’s only ever uploaded encrypted, etc. If people wanted that, they’d already be using one of those other services.

  2. I would wager that the vast majority of people using Kee already use KeePass in a disconnected fashion, or use some other service to sync password files around - Dropbox, OwnCloud, NextCloud, an SMB/CIFS share, NFS share, etc. It’s not clear to me that Vault provides any sort of advantage over these solutions except to add a potential man-in-the-middle vector that is hard to audit unless I’m willing to compile my own copy of your new plugin, assuming it’s even open source.

  3. Your messaging is misleading and unclear, even with the re-wordings over the past few weeks. I had to dig through the forum here to understand that the 3.0 plugin didn’t already upload my password file, and that it wouldn’t do so without my explicit permission (and after signing up for your new service.) That’s a huge trust violation. For instance, because I work extensively with EU data, GDPR is a critical concern for me. Your plugin’s terms changed so drastically that I started having to write up a disclosure notice to my clients before realizing that no data had left my system! (Your Vault product might not even be GDPR compliant. Do you have a Data Processing Addendum ready for EU customers? You probably want to look into that.)

  4. I did my due diligence and realized that it’s basically just you ( @luckyrat ) behind the entire extension and this new offering. I have increasingly lost faith in one-person projects, especially when they turn commercial as yours has. I don’t begrudge the paid-open-source model, or the SaaS one, but without the transparency of a group of individuals behind an effort like this, independent security audits, etc. I can’t even begin to consider to use such an offering - notwithstanding my misgivings about cloud-enabled password management.

It would be hard for you to gain back my trust at this point. About the only thing you could do would be to split your plugin so that there remains a traditional, local-only Kee plugin that I can 100% prove to myself (e.g. by reading the source code) doesn’t surreptitiously upload my password file in the background, encrypted or not.

If you hadn’t taken this strange route, and had communicated it more clearly, Kee 3.0 with a new checkbox to enable Kee Vault support that came disabled by default, even with a “Sign up now!” button (opt-in) wouldn’t have raised my hackles.

I’m now running KeePassXC and the KeePassXC-Browser plugin instead. As these are group-developed projects, 100% open source, and committed to local storage of data as a primary objective, I feel more secure that they have my personal best interests at heart.

2 Likes

OK. Naturally I disagree with a lot of your assertions about what other people want but that’s all covered elsewhere in the forum so I won’t repeat myself here. It looks like you spent a lot of time writing this and I’m happy that you are passionate enough about these issues to do so - I’m sure that we have at least that much in common. It does seem that you somehow managed to miss reading crucial information that as far as I can see is plastered everywhere - with some further guidance about exactly what routes can lead to this being missed, I’ll happily add or update additional sources of information with fundamental facts like that this is open source.

That’s a huge trust violation.

I disagree. I’m sorry that your interpretation of the information available led you to feel concerned for your businesses processes but I do not see how this statement can be justified.

Kee Vault is based in the EU and GDPR compliant with security and privacy at the core of the service’s design, although that is irrelevant to you as a user of only KeePass and the Kee extension (if indeed you still are).

It would be great if there can be more than just me working on this in future but without selling out to VCs and the like or being born rich, this can obviously only happen when the project grows. I’m sorry that you feel unable to support anything that has not already been grown to a large scale by other people but there’s obviously nothing that can be done about this, unless you have found a solution to the chicken and egg paradox that you wish to share with the community.

Kee is local only, open source and focussed on local data storage as a primary objective - there’s no need to split anything. Again I thought this was very clear in multiple locations but I am happy to consider constructive suggestions on where this can be improved.

As far as I can see, that’s what I did (although no need to worry about the extra complication of a checkbox for enabling or disabling things since nothing happens unless you register and load your data into Kee Vault, as I think you worked out later via the forum?). Sorry if some part of this strange route was not clear. I’m not sure what is strange about it but perhaps you will enlighten me.

To a large extent, the horse has already bolted (around 97% of users have already upgraded over the past week) so re-writes of upgrade-related content need to be kept in perspective - if it will take longer to change the content than it will for the remaining users to upgrade, there would clearly be no point in doing so. Some content is going to be more long-term though so there are certainly some areas that would benefit from further clarifications.

I was starting to write in response to Wohali but @luckyrat was on it before i even had a chance to write some wall but yea as he said, no one pushing to use Kee Vault, it’s only a plus if you really want what it offers.
Every others point you’ve been pointed too have already been answered on others topics too, i didn’t really get the “opacity” point you pointed out.

I was been cautious as always about this whole thing but from my humble point of view i really do think @luckyrat is doing his best & he’s been really close to his audience & been as clear as he can, i couldn’t really tell that about many others passwords managers on the market…

I disagree. I’m sorry that your interpretation of the information available led you to feel concerned for your businesses processes but I do not see how this statement can be justified.

That’s no apology, that’s almost an insult. “I’m sorry you feel that way” is lightyears from “I’m sorry I did something that could have mislead you.” Try not blaming your users.

To a large extent, the horse has already bolted (around 97% of users have already upgraded over the past week)

We didn’t have a choice; Firefox auto-updated me, and the only way I could know about the update was after updating.

I’ll happily add or update additional sources of information with fundamental facts like that this is open source.

Your SaaS is open source? And fully auditable? 3rd party security audits are scheduled and ongoing? I missed that.

I agree 100% with @wohali’s criticisms. And I’d like to add my own thoughts.

I was deeply concerned to be redirected to a page that appears to tell me that free browser plugin that connects to KeePass will be premium. This is a huge breach of trust no matter how you look at it. I agree 100% with @wohali that the KeePass extension should be maintained separately to the Kee Vault extension.

You can see here the extension text reads: “Kee offers an easy and cheap password management solution via the Kee Vault service. This is available for a free trial period with no credit card required. If you decide that’s not for you, the add-on can instead work with the free KeePass Password Safe 2 software …” This appears to be aggressive marketing; and the wording makes it sounds as if it will not work with KeePass by default any-more until after the user goes through a trial period with Kee Vault first. The wording makes it clear that operating with Kee Vault not KeePass is the priority.

How is this any better than AVAST! aggressively marketing their premium products, bundleware, and crapware? The only way to disable AVAST’s adware popups in Windows without paying is to put it in to silent mode, after which it continues to tell you every time you open the main window to turn it off and to deceptively advertise their unwanted crap with dark-pattern false and misleading “security warnings” in the program itself as you see in provided screenshots. Complaints about this typically fall on deaf ears.

Is this what we’re going to see with Kee? Dark patterns telling users to install the product it wants, and constantly popping up advertising on users computers until they upgrade? I surely hope not, but the extension’s description text is not encouraging, it literally says that Kee is for Kee Vault, not KeePass.

I don’t think these concerns can be adequately addressed while Kee remains a plugin for combined-use of two entirely separate password managers.

It’s a huge breach of trust because, from your website:

If you subscribe to our upcoming Premium Kee Vault subscription you can even connect your Kee browser extension to both Kee Vault and KeePass Password Safe at the same time.

The browser extension had one job, and one job only. Connect to KeePass and return login information for specific sites. It can now send & receive that same information to an unrelated, unauthorised, online service - Kee Vault. This is a complete breach of trust and an unacceptable weakening of security.

IMPORT FROM YOUR OLD PASSWORD MANAGER

Including fully encrypted import from KeePass Password Safe 2

The database should never be going anywhere, at any time. The fact that this functionality is programmed in to Kee is very concerning. And even if it isn’t programmed-in and you have to manually import the database on the Kee Vault website, what guarantee is there that this functionality won’t be added in the future? In short, we don’t want a plugin that sends passwords to a 3rd party server or a 3rd party application, even if it’s only meant to do it when “authorised”. We know that every security flaw happens because something happens when it wasn’t supposed to, so if the functionality isn’t required for use with KeePass then ethically it shouldn’t programmed in to Kee at all.

Like the OP, I’ll very likely be moving off KeePass entirely due to this change, it simply isn’t acceptable to have a dual-purpose plugin that could be sending our sensitive passwords to another service.

The Open Source nature of the software is explained at Open Source | Kee Vault Ltd. So yes, you can audit everything that goes anywhere near your passwords. Please feel free to undertake a 3rd party audit and share your results with the open source community.

and the wording makes it sounds as if it will not work with KeePass by default any-more until after the user goes through a trial period with Kee Vault first.

I don’t see how it can be interpreted in that way. Can you suggest what words should be changed so that you don’t get this impression?

It can now send & receive that same information to an unrelated, unauthorised, online service - Kee Vault.

Again, that’s not what is intended from the quote you supplied and I can’t see how it can be interpreted in the way you suggest. Care to elaborate?

It can now send & receive that same information…

That’s not correct. I’m interested in what makes you think that is the case?

In short, we don’t want a plugin that sends passwords to a 3rd party server or a 3rd party application, even if it’s only meant to do it when “authorised”.

Kee does not and will never do that. Beyond it being open source and therefore auditable, there’s nothing more anyone can do to re-assure you this won’t change in future - you won’t find any better assurances from any other software.

I can assure you that I spent many weeks developing and refining the wording of these various messages and received positive feedback from many people. However, I am not surprised that when delivering this information to tens of thousands of people, some have interpreted it in a different way; contrary to some suggestions, I’m not ascribing any blame for this to users - it’s just a fact of life. Yes, it would be nice to eliminate such misunderstandings completely, and yes the responsibility for doing so lies with me; I don’t think it is possible to reach a perfect 100% score on this but I am genuinely sorry to anyone that has been adversely affected by any imperfect messages and remain keen to make improvements where possible.

I understand the need to view changes to security software with suspicion but I do hope these assumptions of malice can be replaced with some constructive suggestions. For example, rather than complaining about Firefox/Chrome’s auto-update behaviour for extensions, you might want to help with my efforts to develop an improvement.

There are no other active developers on Kee, so therefore no one is checking the code. As the old saying goes: you can’t find errors in your own code. That’s why they persist, heck the EternalBlue exploit affected all versions of Windows from Windows 2000 through to Windows 10, all because a coder had made a simple type error. No one at Microsoft spotted it for 17 years. Now it’s true that MS should have made the source code available for auditing, but the point remains that someone has to read it and find the error, not just read it. We’ve also seen recently that automation surprises have caused two Boeing 737 Max aircraft crashes as well as emergency situations including one just this week.

Uh-huh. You know who else said the same thing? Michael Gundlach, and then without warning changed his mind:

If it has the ability to save passwords into the KeePass database then it has the ability to do it into the Kee Vault database, this is what concerns me. A bug in the code, or an exploit, and the passwords are sent to the wrong destination.

The wording is one part of the problem, the other part is that the fact that it connects to an online password service. There is just no justification in my mind for it to be connecting to a second service, regardless of whether that’s “Kee Vault” or “LastPass” or anything else.

I appreciate what you’ve done with the Kee extension over the years, the fact that it only has 62,000 users is in my mind very concerning. What we should all be concerned about is getting people to use password managers - my database has over 90 passwords in it and I have over 20 passwords memorised that are not in it! It’s perfectly fine that you’ve been working on a premium service, I wish you luck with it, but it’s just not right to have a single browser extension that can connect to both password managers. So I have uninstalled it and moved to KeePassXC-Browser, but again I reiterate my appreciation for developing and maintaining the plugin in the first place.