Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)

Stephen Kitt skitt at debian.org
Tue Feb 2 19:51:02 GMT 2021 

Hi Axel,

On Tue, 02 Feb 2021 11:02:58 +0000, Stephan Lachnit
<stephanlachnit at protonmail.com> wrote:
> > On startup it shows a login window which looks suspiciously like a GOG
> > login window in a web browser, but without without any possibility to
> > check its origin: It has no location bar, i.e. shows no URL, it doesn't
> > indicate if the entered credentials are transmitted encrypted via HTTPS
> > or not, and it offers no chance to review the HTTPS TLS certificate if
> > present.  
> 
> Since Minigalaxy is open source, it's very easy to check if it connects
> actually to GOG via https. I checked the code and it is fine.

I had checked it before sponsoring the initial upload too. This is one of
those things I tend to assume from Debian: that the packages provided in the
archives are safe.

> This problem actually isn't solved by showing an address bar or the
> certificate, since that can easily be spoofed. It could just connect
> to GOG to show the certificate but also connect to a different, similar
> looking website and show it to the user. This applies to all browsers,
> that is why open source is important.

Yup, exactly, it would be quite easy for a malicious client to present a
reassuring UI; having such a UI wouldn’t prove anything.

> > Possible solution: Don't use an embedded browser windows but call
> > sensible-browser or so to use the browser which the user is probably
> > already logged in to GOG anyways.  
> 
> In the forwarded bug report the maintainer states that an external
> browser is not a solution at the moment. Their argumentation sounds
> reasonable to me.
> 
> However, I will look into adding the address, as it probably is not a
> bad idea. But this is more of a wishlist thing, not an actual security
> concern (at least to me).

See also lgogdownloader which does pretty much the same thing.

Regards,

Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20210202/5175b1b4/attachment.sig>

More information about the Pkg-games-devel mailing list