l0b0 Mar 10 @ 11:09am
Improve TLS support
I'm currently running an experiment where I block outgoing connections on port 80 to detect privacy and security issues with websites and programs. I have had some problems with the Steam client and web site:

  • The Steam client attempts to download game updates via insecure HTTP. By hijacking DNS an attacker could therefore make the Steam client download harmful updates. They could also tell which games I'm downloading. I don't know whether the updates are verified separately by the Steam client before being applied, but even if they are, why not change the delivery protocol to HTTPS to make verification simpler and privacy the default?
  • The Steam client uses insecure HTTP for the shop subsystem. This also has both security and privacy implications: The network requests can be intercepted and modified to display for example a phishing site or to load exploit code into the Steam browser.
  • https://steampowered.com/ (without "www") has an invalid certificate (it only verifies subdomains of steampowered.com), and when I access it I get an error message saying "You don't have permission to access "/D/935/296433/000/origin.steampowered.com/" on this server."
< >
Showing 1-2 of 2 comments
aiusepsi Mar 11 @ 5:59pm 
Originally posted by l0b0:
By hijacking DNS an attacker could therefore make the Steam client download harmful updates. They could also tell which games I'm downloading. I don't know whether the updates are verified separately by the Steam client before being applied, but even if they are, why not change the delivery protocol to HTTPS to make verification simpler and privacy the default?
It does verify them separately. The Steam content delivery system is explicitly designed to be cacheable; as an example, it's actually very common now for organised LAN parties to set up a system on the network that does indeed hijack DNS for the purpose of caching Steam content on a local server. This means that a download only has to be fetched once over the Internet. This wouldn't be possible with HTTPS.
__ Mar 12 @ 11:07am 
Perhaps the idea is to ensure it can be intercepted by web filters, government agencies, etc. The age gate on some products is plaintext too, and you cannot force HTTPS as it will redirect to plaintext.

The only non-cacheability of HTTPS is by third parties such as ISPs. Content delivery servers under the control of Valve should be not at all difficult to run as HTTPS.
< >
Showing 1-2 of 2 comments
Per page: 15 30 50

Date Posted: Mar 10 @ 11:09am
Posts: 2