Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)

[Stephen Kitt]

Hi Axel,

Le 03/02/2021 02:09, Axel Beckert a écrit :
> Hi Stephen and Stephan,
> Stephen Kitt wrote:
>> On Tue, 02 Feb 2021 11:02:58 +0000, Stephan Lachnit
>> <stephanlachnit at protonmail.com> wrote:
>> > > On startup it shows a login window which looks suspiciously like a GOG
>> > > login window in a web browser, but without without any possibility to
>> > > check its origin: It has no location bar, i.e. shows no URL, it doesn't
>> > > indicate if the entered credentials are transmitted encrypted via HTTPS
>> > > or not, and it offers no chance to review the HTTPS TLS certificate if
>> > > present.
>> >
>> > Since Minigalaxy is open source, it's very easy to check if it connects
>> > actually to GOG via https. I checked the code and it is fine.
>> 
>> I had checked it before sponsoring the initial upload too.
>> 
>> This is one of those things I tend to assume from Debian: that the
>> packages provided in the archives are safe.
> 
> Ack. But MITM attacks happen outside of the software. Think DNS
> spoofing. Before I enter a password anywhere, I should be able to
> check at least the certificate.

Ah yes, that is a good point!

>> > This problem actually isn't solved by showing an address bar or the
>> > certificate, since that can easily be spoofed.
> 
> Indeed. But here Stephen's argument fits: I tend to assume that the
> packages provided in the Debian archives are safe. I just can't assume
> that the network I'm in is safe.

Agreed, we can’t trust the network.

>> > > Possible solution: Don't use an embedded browser windows but call
>> > > sensible-browser or so to use the browser which the user is probably
>> > > already logged in to GOG anyways.
>> >
>> > In the forwarded bug report the maintainer states that an external
>> > browser is not a solution at the moment. Their argumentation sounds
>> > reasonable to me.
> 
> Feared that.
> 
>> > However, I will look into adding the address, as it probably is not a
>> > bad idea. But this is more of a wishlist thing, not an actual security
>> > concern (at least to me).
> 
> As mentioned, I haven't got Stephan's mail. I now see that this has
> been downgraded to wishlist with that mail. I disagree. This is a clear 
> issue.
> 
> I though must admit that the login window at least says "Unacceptable
> TLS certificate" if I try to do a MITM attack on auth.gog.com.
> 
> I am nevertheless still of the opinion that this is not a feature
> request but a security issue.
> 
>> See also lgogdownloader which does pretty much the same thing.
> 
> Actually I tried that one first as it was in Debian first. Horrible
> user experience:
> 
> It's a Qt written tool according to its dependencies (i.e. a GUI)
> which asks me "E-Mail:" on the commandline (!) without any context,
> which e-mail address is wanted and for what it is used. I assume it's
> the e-mail address used in the GOG account, but that UI is
> inacceptable. (Didn't write a bug report for that. Just uninstalled
> it. But this one has security impact.)

Hmm, right, I must just be unlucky and always hit the reCAPTCHA... The 
GUI pops up then. Perhaps it would be useful to provide an option to 
always use the GUI.

Regards,

Stephen