minigalaxy icon indicating copy to clipboard operation
minigalaxy copied to clipboard

Published 20 hours ago verified publisher icon sharkwouter

Show certificate in embedded browser

Open stephanlachnit opened this issue 4 years ago • 5 comments

Minigalaxy got into Debian (yay), but there are security concerns about the GOG login: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981520

In practice we can simply look at the code (which I haven't done yet btw), but it's not a bad idea to show the URL and certificate for a login. I'm not sure how good the default Browser thingy would work in Python, will look into it.

stephanlachnit avatar Feb 02 '21 00:02 stephanlachnit

This is nonsense. Showing the user the url does not change the security in any way and using another browser is impossible. Does he realize Minigalaxy is open source?

What he suggests will make him feel safer, but not change the security model. We can implement that, but it's not a security issue.

In summary:

  • We use the system's webkit
  • We use https everywhere
  • We need the url which the browser window goes to after logging it. That contains the code we need to login on the API. We cannot do this is another way at the moment.

sharkwouter avatar Feb 02 '21 07:02 sharkwouter

Agreed, I have taken a look at the code and have no doubt that it is fine. I think adding the address is not that big of a deal in Gtk, I will look into it when I have the time.

stephanlachnit avatar Feb 02 '21 11:02 stephanlachnit

Does he realize Minigalaxy is open source?

Do you realize that Debian only accepts free software (and not just open source)?

We use https everywhere

Then show it!

xtaran avatar Feb 03 '21 01:02 xtaran

Okay, my bad about setting the wrong tone here. Let's try to keep it a bit more civil from now on.

We can show it to the user directly, but it's not a really high priority at the moment. I do agree it can be a good idea to do that. It's not really a security issue, though, more of a trust issue.

The URL used for the login screen is constructed in the code here:

https://github.com/sharkwouter/minigalaxy/blob/1.0.1/minigalaxy/api.py#L115-L122

The login screen is started here:

https://github.com/sharkwouter/minigalaxy/blob/1.0.1/minigalaxy/ui/window.py#L155-L160

The redirect_url comes from here:

https://github.com/sharkwouter/minigalaxy/blob/1.0.1/minigalaxy/api.py#L17

The login screen is this class:

https://github.com/sharkwouter/minigalaxy/blob/1.0.1/minigalaxy/ui/login.py#L12-L51

I hope that helps reduce your worries. The GOG API and login screen only support HTTPS, which is a good thing.

sharkwouter avatar Feb 03 '21 08:02 sharkwouter

The original bug reporter pointed out that the main risk to consider isn’t in the source code or the API, it’s the network. So showing the URL isn’t all that useful, as you say, but allowing the certificate to be examined would be, unless some form of certificate pinning is used (which would be fantastic).

skitt avatar Feb 04 '21 20:02 skitt