>As KeePassXC is a relatively complex program and the review effort was limited, I did not review all of the code base. Some helper features stay not reviewed, for example: TOTP, SSH agent, browser plug-in communication, auto-type, KeeShare password sharing mechanism, freedesktop integration, HIBP support, database statistics feature. Maybe these features could be a subject to a next review version.
Those integrations seem like scary weak-points, especially to the browser.. and I'm a little confused because later on he says he did review the browser extension code:
>KeePassXC supports integration with browser extensions. The communication between the password manager application and the browser extensions is implemented using secure and modern libsodium-style encryption. I personally trust this cryptography choice and salut the use of encryption to communicate with browser extensions.
Hi there, lead developer of KeePassXC here (and writer of a lot of code). The TOTP and SSH Agent are generally not a security issue. TOTP has no external interfaces and SSH Agent only writes to the known interface standards of those programs. There is actually not much to those code areas.
Auto-Type is similarly rather simple at the interface level (except for X11 because its X11). We call native OS functions to emulate typing.
Similarly the internal reporting features are rather benign. HIBP checks requires explicit approval by the user before anything happens.
The browser code and FDO Secrets code definitely needs auditing. The browser extension is separate from the browser code within KeePassXC proper.
KeeShare is going to be entirely rewritten for our 2.8.0 release.
>As KeePassXC is a relatively complex program and the review effort was limited, I did not review all of the code base. Some helper features stay not reviewed, for example: TOTP, SSH agent, browser plug-in communication, auto-type, KeeShare password sharing mechanism, freedesktop integration, HIBP support, database statistics feature. Maybe these features could be a subject to a next review version.
Those integrations seem like scary weak-points, especially to the browser.. and I'm a little confused because later on he says he did review the browser extension code:
>KeePassXC supports integration with browser extensions. The communication between the password manager application and the browser extensions is implemented using secure and modern libsodium-style encryption. I personally trust this cryptography choice and salut the use of encryption to communicate with browser extensions.