Remove note about KeePassHTTP being weak

[jsha]

I am helping to edit a guide to using KeePassXC, and found that the author had inserted a warning: "If your machine is compromised, an attacker can intercept the communication between your browser plug-in and KeePassXC." I believe that was motivated by the warning text here. As noted in pfn/keepasshttp#258 and keepassxreboot/keepassxc#147, communicating via HTTP with localhost is safe, since an attacker who can intercept localhost communications can just read your passwords directly.

Since localhost-only is now the default mode in KeePassHTTP, I think this note just creates confusion and unnecessary fear among users.

[phoerious]

@droidmonkey @TheZ3ro opinions?

I think if it were for KeePassXC alone, we could remove the warning. But there are also other products which use KeePassHTTP (such as the original KeePass). Those products usually allow to use it over the network. So maybe we shouldn't remove it completely but reword it?

We should definitely remove it, once we switch to keepassxc-browser.

[droidmonkey]

I vote for reword and point to (link) the effort that we are supporting to replace it.

[jsha]

there are also other products which use KeePassHTTP (such as the original KeePass). Those products usually allow to use it over the network.

Right, but putting a warning in the KeePassXC documentation won't help the users of those other products, who won't see it.

[TheZ3ro]

Right, but putting a warning in the KeePassXC documentation won't help the users of those other products, who won't see it.

👍

[phoerious]

No, but it will help KeePassXC users who don't use KeePassXC exclusively (there seem to be quite a few). It also helps former users who abandon us for whatever reason.

[phoerious]

Closing this as we are about to deprecate KeePassHTTP anyway.