Keepassxc: MAC - Keepass XC 2.1.0 - KeePassHTTP not working

Why have you deleted the issue template?

Please reply to this questions:

## Steps to Reproduce (for bugs)
1.
2.
3.
4.

## Your Environment
* KeePassXC version/commit used: (can be found under Help -> About)
* Qt version (e.g. Qt 5.3): 
* Compiler (e.g. Clang++3.6.0): 
* Operating System and version: 

I think you are trying to use KeePassHTTP on the compiled dmg on the website. This is disabled by default. You must enable it by manually compiling KeePassXC from source with the -DWITH_XC_HTTP=ON flag when executing CMake.

I assume too that you are using the 2.1.0 pre-compiled release. We disabled KeePassHTTP deliberately due to some security issues. If you need it, you must compile KeePassXC yourself from the source package as @TheZ3ro already mentioned.

@phoerious Could you elaborate on “some security issues”? Your README have at its beginning a section on why the fork, pointing toward this comment among others:

PS: There are no Security problem with KeePassX or keepasshttp, just a matter of usability.

And stated otherwise, should distro enable KeePassHTTP in their packages?

We have a discussion about it here (although not everything regarding this module's security was discussed publicly): https://github.com/keepassxreboot/keepassxc/issues/147
At the moment we don't believe that KeePassHTTP is a huge threat as long as you only allow it to bind to localhost, but its general design and protocol are very questionable. I would generally recommend not building it into distro packages. At least not until we reworked it and at least disallow binding to any other interface than the local loopback.

Thanks for the reference.

I've installed the dmg and I was thinking that KeePassHTTP would work out of the box.

Steps to reproduce:

• download and install dmg
• reboot programs and chromeiepass and fosiepass didn't work.

Versions:

• macOS Sierra 10.12.2
• Keepass XC 2.1.0
• Firefox 50.1.0
• Chrome 55.0.2883.9
• latest PassIFox for Mozilla Firefox and chromeIPass for Chrome

If you are "selling" that has a KeePassHTTP support, it shoud work out of the box by installing the dmg file in MAC.

EDIT: you shouldn't closed the thread so quickly. I'm trying to help.

Would disabling the KeepassHTTP server at runtime not yield the same security increase as having it not compiled in in the first place. Then at least means a user doesnt need to compile it themselves if they want the support, it could just be a flag in the application settings?

@abacao We ship KeePassHTTP support if you compile it yourself because recently we had some security concern about it and it's not safe to enable it by default.

@RealOrangeOne right now if user can enable KeePassHTTP with a click, can also bind the listening address to listen from 0.0.0.0 (Any). Also note that if KeePassHTTP fails to bind 127.0.0.1 will fallback to 0.0.0.0.
Listening to 0.0.0.0 is an high risk option that can leak your password so users must compile it themself (they know what they are doing)

ah, yes, listening on 0.0.0.0 does sound like a terrible idea. I'm sorta supprised that's in the library tbh. If it could be forced to listen on loopback, and if it failed to bind just disable the plugin, i think that's probably the best solution

It is our fault releasing 2.1.0 without hot-fixing #147. We chose instead of disabling KeePassHTTP entirely.

Maybe we will release a 2.1.1 fix in the next few days

I agree that we should have communicated our decision to not build KeePassHTTP into the main release better. But I still think it was the right move. When not handled properly, the current implementation can easily endanger the confidentiality of your password database and we don't want that. On the other hand, we couldn't stall the release any longer.

We will have a deeper look into the issue and fix certain aspects of the plugin and then may release another version with KeePassHTTP enabled as it seems to be a very demanded feature. Restricting listening to localhost is one obvious fix that needs to be implemented. However, we also need to evaluate if that is the only thing that needs to be changed to guarantee the safety of your database.

In the meantime I updated the project description page and added a couple of notes regarding KeePassHTTP: https://keepassxc.org/project

Hello again to all.

Your project not only has great intentions, it has a real purpose.
I'm glad that you thought and are thinking about security but no one understood that.
I suggest, not only to provide more correct info but also, please don't close a issue without proper discussions before the closing.

Also, I suggest that it should bind to a specific port, not only to the IP.

The project description now is more accurate but I can tell you guys that without the KeePassHTTP implemented, I wouldn't had tried the app.

I closed it because we had the KeePassHTTP discussion already in #147 and I don't really want to scatter bits of information around in different places.

Binding to different ports is generally unproblematic and should be user-controllable. There is no standard KeePassHTTP port, so it's quite possible that another application occupies whatever port we choose.