Issues, Workarounds & Localization

Just read the post at eve-ru forum with a very interesting launcher screenshot.

Then, I opened Wireshark and checked, what is really happens between the new launcher and the host that serves it's ui at cloudfront (was 54.240.184.192 for me).

So:

There's some small encrypted dialog

Then, the Launcher UI is requested over plain HTTP

In the reply, it issues 301 redirect to the HTTPS version

Now what can happen in the next moment:

Mallory sitting in the middle captures this redirect and replaces it with something that look very like the real launcher authentication UI.

User thinks: Damn, probably something logged me out

User enters his password again

Mallory simulates launcher crash and server being inaccessible, then uses received credentials to login as user's account and do some dirty RMT business.

Because the launched doesn't even have the common web browser UI elements like that green lock icon that you can see rigth now in your address bar, tha user can't make any difference until his password is stolen.

Additionally, the HTTPS reply doesn't contain any HSTS header, which could prevent unencrypted connections after receiving at least one legitimate reply.

Why than HTTP request ever exist? Why don't just go straight to HTTPS page? You can even use HPKP to ensure that the reply comes from your servers and not from Kazakhstan MITM proxy, or CIA, or even from Vasily Pupkin that have installed his CA certificate with his Very Cool Internet Accelerator Program?

From the scenario that Ekykti put forward, this is a very serious issue!

I supposed that CCP would, by default, have the 'green lock' instance be available within the launchers. Now that got me sceptical. Specially, with more people migrating to the new launcher, what guarantee do we have that the old/new launcher is/will be secure to log in?