White / blacklist not synced?

#1

Hi,

I’m newly using Kee as a replacement to PassiChrome (as it was retired and removed from Chrome Store) and I just found that for some sites I need whitelisting because auto-detection does not work. As a shock to me I noticed that Kee extension settings like whitelists are not synced.

I don’t know about other people but that’s a huge problem to me as I use chrome on at least 4 different Windows Machines (Workstation, Laptop at Home, Laptop at Work and a dedicated gaming machine).

As obviously Whitelisting settings are not saved as custom fields in KeePass and also the browser extension has no sync mechanism I need to maintain white / blasklists now on each and every machine? Are there any plans to improve this? This is quite an issue for me (how about others?) and I would have expected this to be handled by KeePassRPC plugin (store/retrieve data in custom fields in a special KeePassRPC entry for example, or transparently in the settings of KeePassRPC internally. Of course it would be also possible to build a sync mechanism for the extension but I expect that to be much more complicated then just use KeePass to store the settings across multiple KeePass installations of course, thats why I think a special entry is needed otherwise it’s not shared among multiple machines with multiple KeePass installations with KeePassRPC & Kee

#2

Hi,

Thanks for the feedback and suggestion.

It’s almost tangential to your main question but I’m interested in how often you have to configure whitelist entries? Personally I only tend to add a new one about once a year and I only have around 15 across all 1000 passwords I manage so although you or I could have an unusual set of passwords, I would hope that this is more of an initial hurdle to get over rather than an ongoing challenge.

Configuration relating to the browser extension rather than individual entries can’t be synced via the KeePass database because there is not a one-to-one link between a browser and a KeePass database (many people have multiple databases open at exactly the same time even). Unfortunately that means that the configuration has to be synced either through the feature offered by Chrome/Firefox or through a custom developed solution. Since the configuration of Kee is complex, the amount of data required to be synchronised is too large for Firefox or Chrome to host the information on their servers so that only leaves the most complex and expensive of possibilities.

Kee Vault essentially has one “master” database which is always available when open in the same browser as the Kee browser extension so we are able to store this information reliably inside the encrypted KeePass (kdbx) file that underpins your Vault.

#3

I get your point and actually I use 2 open databases on most machines myselves, forgive me for not thinking as far. Of course there’s no one to one relation between browser & kee extension.

And if it’s really just an initial hurdle I’m fine doing it. The only thing I don’t get is if Kee Vault offers sharing blacklists / whitelist syncing yet.

I also took the plunge and quickly evaluated Vault with the Demo account. Actually even if you’re promoting Vault a lot I don’t see all the benefits. Especially integration with Android seems clumsy unless there’s also a browser integration with AutoFill. Othwerise KeePass2Android (with auto-switching Keyboard and URL searching through ‘share’ function) and syncing through Google Drive is way more comfortable. And then I switch to KDBX4 and have ‘argon2’ support as well and I anway use keyfiles and high encryption rounds.

But by using vault I completely loose flexibility to integreate with other programs use plugins etc. and probably the ‘biggest’ downside I already experienced once: What if I want to go back? Do you offer also ‘export’ of entries or of the kdbx file? Last time it took me a big effort the get everything back into KeePass again from a competitor of Vault even if they exported some csv. But in a weird way. Therefore I’m very hesitant to switch to a cloud providing service even if it’s kdbx based.

I fully acknoledge that you cannot work for free but I would have preferred that you invest time in in the extension and KeePassRPC and charge for that work.

But that’s personal opinion of course and probably because I’ve been burned by this other provider. And there’s another downside. If someone want’s to hack passwords he probably targets more Vault or other Providers and tries to hack into their systems because the benefit is much higher, unless you get infected by malware which installs a keylogger or something but then you’re fucked anyways no matter if you’re using KeePass or Vault.

But thanks for your answer why it can’t be synced. Maybe an export/import function through files would be something for the extensions which allows you to configure Kee the same way as on other machines if you switch machines.

#4

The only thing I don’t get is if Kee Vault offers sharing blacklists / whitelist syncing yet.

Yeah that should work such that when you save your Vault on one machine and then sign in to Kee Vault on another machine, the configuration will be overwritten on the subsequent machines using whatever config got put into your Kee Vault on the first machine.

integration with Android seems clumsy unless there’s also a browser integration with AutoFill

Thanks for the feedback. I’ve heard this from a few other people too - essentially Android (and web apps in general) does not support this feature yet. If it’s not introduced soon then I can create an entirely native app that duplicates much of the main web app’s functionality and adds AutoFill (obviously only for Android 9+ which is when they finished development of the feature for native apps) but it could take a year or more to complete such a large amount of development… and then there’s iOS which has introduced a similar feature last year…

I’ve started experimenting with a native Android app but it’s definitely not going to be ready for public testing this year.

Do you offer also ‘export’ of entries or of the kdbx file?

Of course. There’s an Export button right next to the Import one :slight_smile:

I would have preferred that you invest time in in the extension and KeePassRPC and charge for that work.

I really think that KeePass and KeePassRPC are not the perfect solution for a lot of people and while Kee Vault can still be improved, it’s a step in the right direction for a lot of people. Of course it would be great to be able to charge money for work on the desktop browser extension and KeePassRPC but who do I send the bill to?!

In 10 years of working for free on these products, no feasible solution was found; perhaps a huge shift in human behaviour is just around the corner… but I suspect not. Until then, I figured that Kee Vault is priced so cheaply that if someone wants to pay part of the charge for my work on the browser extension they can pay for a subscription to Kee Vault, potentially taking advantage of the browser extension configuration sync feature while still using KeePass on desktop for some or all password storage if that’s their preference for any reason.

And there’s another downside. If someone want’s to hack passwords he probably targets more Vault…

Part of the reason for choosing kdbx as the storage format for Kee Vault is because it is well established and proven to hold up to offline decryption attacks. Since kdbx is designed to be safe to share publicly, Kee Vault is secure even if a synced kdbx file were to be released to the public. Of course, good security is about layers of defences and you can see from other information about Kee Vault and its source code that other layers of defence are also in place to further increase security.

If you really are able to keep your locally stored passwords hidden from the rest of the world forever then you are exceptional (some might also say an optimist). For a lot of people though, what matters more than keeping the encrypted data in a secret location is the security of the data itself, such that if (pessimists may say when) the data is exposed, there is no way to decrypt that data into a form that reveals the secrets (passwords) protected within. kdbx has inherent protection against this risk.

The one thing you can never see for any cloud service, even an Open Source one, is what really happens in that service with regards to enabling access to the encrypted data. However, since you can see that only the complete kdbx file is transferred from your device to our cloud, the potential risk in the worst-case is no greater than the risk posed by an offline attack (i.e. the protection from technologies such as Argon2 limit the rate at which an attacker can attempt to break into the encrypted data). As a matter of fact, we don’t provide any mechanism for an attacker to perform mass attempts to guess the password to your encrypted data but even if we were lying or mistaken about this claim, the inherent protection from the kdbx format would kick in at this point, making an attack futile.

Maybe an export/import function through files would be something for the extensions which allows you to configure Kee the same way as on other machines if you switch machines.

Yeah that sort of manual file management procedure is probably feasible, although still far from trivial and I’d definitely want to see what Google’s new extension restrictions bring to the table first just in case all local file system access is prohibited in the next year or so.

#5

Just in case you don’t know how Keepass2Android works here’s how it works. You open the browser navigate to a page with a login-form. You select “share” in the browser and select Keepass2Android as the receiving Application. It will then scan for specific entry. If it’s not found you can manually search for it or create a new one which prefills the URL. Once you select an entry it automatically switches the current keyboard to a special keybaord with more or less just buttons for “Username / Password / Custom Field / Go” and also switches back to previous app (your browser). You the press cursor in username field and press “Username” and same for “Password” or any custom field and once you’re done you press “go”. Then the keyboard is switched back to previously used Keyboard.

It supports AutoExec (so Auto-Open), KDBX4, Quick Unlock (with shorter password once unlocked), Fingerprint Unlock (Fully or just Quick), local files as well as native gdrive & dropbox support with synchronizing or any android file picker. In addition there’s a plugin which allows to fill in username & password in most native apps (kind of auto-fill for apps).

So you see Keepass2Android is very powerful and you will have hard time even coming close to this functionality. But how about providing an android file picker which allows to select kdbx from vault, that should generally work. Other 3rd Party products out there also integreate with Keepass2Android this way. Then all you have to worry about is giving access to database and sync-back any changes as kdbx4 support is available it might be the way to go. Of course you also make the vault database available to any other app that can use a Android File Picker. But as you said even if you would share it with an app by accident which sends it somewhere it should withstand any decryption.

Providiing an Android File Picker for Vault would give users the full power of Keepass2Android and save you a lot of development effort.

I don’t know if something similar exists in iOS because I dropped all my iOS interest about 5-10 years ago when I decided that iOS is just not flexible enough for my taste. And now beeing Android User since Eclair (Android 2.0) nothing will bring me back to iOS ever.