Control: severity -1 wishlist Control: forwarded -1 https://github.com/sharkwouter/minigalaxy/issues/282 Control: tags -1 upstream
Hi, thanks for your bug report. I've taken a look into it and I reduced the severity for a couple of reasons. > On startup it shows a login window which looks suspiciously like a GOG > login window in a web browser, but without without any possibility to > check its origin: It has no location bar, i.e. shows no URL, it doesn't > indicate if the entered credentials are transmitted encrypted via HTTPS > or not, and it offers no chance to review the HTTPS TLS certificate if > present. Since Minigalaxy is open source, it's very easy to check if it connects actually to GOG via https. I checked the code and it is fine. This problem actually isn't solved by showing an address bar or the certificate, since that can easily be spoofed. It could just connect to GOG to show the certificate but also connect to a different, similar looking website and show it to the user. This applies to all browsers, that is why open source is important. > Possible solution: Don't use an embedded browser windows but call > sensible-browser or so to use the browser which the user is probably > already logged in to GOG anyways. In the forwarded bug report the maintainer states that an external browser is not a solution at the moment. Their argumentation sounds reasonable to me. However, I will look into adding the address, as it probably is not a bad idea. But this is more of a wishlist thing, not an actual security concern (at least to me). Regards, Stephan