Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)

[Stephan Lachnit]

Control: severity -1 wishlist
Control: forwarded -1 https://github.com/sharkwouter/minigalaxy/issues/282
Control: tags -1 upstream

Hi,

thanks for your bug report. I've taken a look into it and I reduced the
severity for a couple of reasons.

> On startup it shows a login window which looks suspiciously like a GOG
> login window in a web browser, but without without any possibility to
> check its origin: It has no location bar, i.e. shows no URL, it doesn't
> indicate if the entered credentials are transmitted encrypted via HTTPS
> or not, and it offers no chance to review the HTTPS TLS certificate if
> present.

Since Minigalaxy is open source, it's very easy to check if it connects
actually to GOG via https. I checked the code and it is fine.

This problem actually isn't solved by showing an address bar or the
certificate, since that can easily be spoofed. It could just connect
to GOG to show the certificate but also connect to a different, similar
looking website and show it to the user. This applies to all browsers,
that is why open source is important.

> Possible solution: Don't use an embedded browser windows but call
> sensible-browser or so to use the browser which the user is probably
> already logged in to GOG anyways.

In the forwarded bug report the maintainer states that an external
browser is not a solution at the moment. Their argumentation sounds
reasonable to me.

However, I will look into adding the address, as it probably is not a
bad idea. But this is more of a wishlist thing, not an actual security
concern (at least to me).

Regards,
Stephan