Hi Axel,
Le 03/02/2021 02:09, Axel Beckert a écrit :
Hi Stephen and Stephan,
Stephen Kitt wrote:
On Tue, 02 Feb 2021 11:02:58 +0000, Stephan Lachnit
<stephanlach...@protonmail.com> wrote:
> > On startup it shows a login window which looks suspiciously like a GOG
> > login window in a web browser, but without without any possibility to
> > check its origin: It has no location bar, i.e. shows no URL, it doesn't
> > indicate if the entered credentials are transmitted encrypted via HTTPS
> > or not, and it offers no chance to review the HTTPS TLS certificate if
> > present.
>
> Since Minigalaxy is open source, it's very easy to check if it connects
> actually to GOG via https. I checked the code and it is fine.
I had checked it before sponsoring the initial upload too.
This is one of those things I tend to assume from Debian: that the
packages provided in the archives are safe.
Ack. But MITM attacks happen outside of the software. Think DNS
spoofing. Before I enter a password anywhere, I should be able to
check at least the certificate.
Ah yes, that is a good point!
> This problem actually isn't solved by showing an address bar or the
> certificate, since that can easily be spoofed.
Indeed. But here Stephen's argument fits: I tend to assume that the
packages provided in the Debian archives are safe. I just can't assume
that the network I'm in is safe.
Agreed, we can’t trust the network.
> > Possible solution: Don't use an embedded browser windows but call
> > sensible-browser or so to use the browser which the user is probably
> > already logged in to GOG anyways.
>
> In the forwarded bug report the maintainer states that an external
> browser is not a solution at the moment. Their argumentation sounds
> reasonable to me.
Feared that.
> However, I will look into adding the address, as it probably is not a
> bad idea. But this is more of a wishlist thing, not an actual security
> concern (at least to me).
As mentioned, I haven't got Stephan's mail. I now see that this has
been downgraded to wishlist with that mail. I disagree. This is a clear
issue.
I though must admit that the login window at least says "Unacceptable
TLS certificate" if I try to do a MITM attack on auth.gog.com.
I am nevertheless still of the opinion that this is not a feature
request but a security issue.
See also lgogdownloader which does pretty much the same thing.
Actually I tried that one first as it was in Debian first. Horrible
user experience:
It's a Qt written tool according to its dependencies (i.e. a GUI)
which asks me "E-Mail:" on the commandline (!) without any context,
which e-mail address is wanted and for what it is used. I assume it's
the e-mail address used in the GOG account, but that UI is
inacceptable. (Didn't write a bug report for that. Just uninstalled
it. But this one has security impact.)
Hmm, right, I must just be unlucky and always hit the reCAPTCHA... The
GUI pops up then. Perhaps it would be useful to provide an option to
always use the GUI.
Regards,
Stephen
