Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)

[Axel Beckert]

Hi Stephen and Stephan,

(JFYI: I only got Stephen's mail.)

Stephen Kitt wrote:
> On Tue, 02 Feb 2021 11:02:58 +0000, Stephan Lachnit
> <stephanlachnit at protonmail.com> wrote:
> > > On startup it shows a login window which looks suspiciously like a GOG
> > > login window in a web browser, but without without any possibility to
> > > check its origin: It has no location bar, i.e. shows no URL, it doesn't
> > > indicate if the entered credentials are transmitted encrypted via HTTPS
> > > or not, and it offers no chance to review the HTTPS TLS certificate if
> > > present.  
> > 
> > Since Minigalaxy is open source, it's very easy to check if it connects
> > actually to GOG via https. I checked the code and it is fine.
>
> I had checked it before sponsoring the initial upload too.
>
> This is one of those things I tend to assume from Debian: that the
> packages provided in the archives are safe.

Ack. But MITM attacks happen outside of the software. Think DNS
spoofing. Before I enter a password anywhere, I should be able to
check at least the certificate.

> > This problem actually isn't solved by showing an address bar or the
> > certificate, since that can easily be spoofed.

Indeed. But here Stephen's argument fits: I tend to assume that the
packages provided in the Debian archives are safe. I just can't assume
that the network I'm in is safe.

> > > Possible solution: Don't use an embedded browser windows but call
> > > sensible-browser or so to use the browser which the user is probably
> > > already logged in to GOG anyways.  
> > 
> > In the forwarded bug report the maintainer states that an external
> > browser is not a solution at the moment. Their argumentation sounds
> > reasonable to me.

Feared that.

> > However, I will look into adding the address, as it probably is not a
> > bad idea. But this is more of a wishlist thing, not an actual security
> > concern (at least to me).

As mentioned, I haven't got Stephan's mail. I now see that this has
been downgraded to wishlist with that mail. I disagree. This is a clear issue.

I though must admit that the login window at least says "Unacceptable
TLS certificate" if I try to do a MITM attack on auth.gog.com.

I am nevertheless still of the opinion that this is not a feature
request but a security issue.

> See also lgogdownloader which does pretty much the same thing.

Actually I tried that one first as it was in Debian first. Horrible
user experience:

It's a Qt written tool according to its dependencies (i.e. a GUI)
which asks me "E-Mail:" on the commandline (!) without any context,
which e-mail address is wanted and for what it is used. I assume it's
the e-mail address used in the GOG account, but that UI is
inacceptable. (Didn't write a bug report for that. Just uninstalled
it. But this one has security impact.)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE