GoG - server not found

[imac2009]

I spotted an issue here on my setup. The GoG Galaxy client complains every time I try to start a download. This happens exactly at the moment where the game's EULA/ToS should appear. Downloading the GoG Galaxy Software and login works by the way.

Did you encounter similar problems here?

[bntjah]

@nexusofdoom I know you've supplied me with the info concerning GoG; would it be possible to have a look and see if there is something missing? Thanks!

[imac2009]

Yes of course, today between somewhat around 9pm-11pm gmt+1 I would like to give more time to investigate this, but server's hardware is pretty noisy :)

[nexusofdoom]

sorry never used or tested GOG.

[imac2009]

Me neither, but as it is provided, I just tried it.

[nexusofdoom]

if you have time if you can run wireshark and see where its pulling files from thanks

On Tue, Apr 19, 2016 at 8:46 AM, imac2009 notifications@github.com wrote:

Me neither, but as it is provided, I just tried it.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/bntjah/lancache/issues/13#issuecomment-211929163

[nexusofdoom]

this might be a SSL connection This happens exactly at the moment where the game's EULA/ToS should appear.

On Tue, Apr 19, 2016 at 8:46 AM, imac2009 notifications@github.com wrote:

Me neither, but as it is provided, I just tried it.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/bntjah/lancache/issues/13#issuecomment-211929163

[imac2009]

Great suggestion, looking into this later.

[Stealthii]

GOG has recently moved to HTTPS for content delivery like Riot, and do not currently offer any downgrade facility for RFC1918 addresses.

I have contacted GOG's support team about possibly implementing this as a feature, but until then, this feature is blocked from cache support.

[bntjah]

Thanks for letting us know Stealthii do let us know how your tickets resolves :P

[bntjah]

@Stealthii did you happen to get any update? Perhaps its possible to cache this through our own SSL certificate or do they check if its a Certificate from them?

[nexusofdoom]

did any one try the new cdn servers ?

local-zone: "images-1.gog.com." redirect local-data: "images-1.gog.com. 600 IN A x.x.x.x" local-zone: "images-2.gog.com." redirect local-data: "images-2.gog.com. 600 IN A " local-zone: "images-3.gog.com." redirect local-data: "images-3.gog.com. 600 IN A " local-zone: "images-4.gog.com." redirect local-data: "images-4.gog.com. 600 IN A " local-zone: "images-5.gog.com." redirect local-data: "images-5.gog.com. 600 IN A "

[nexusofdoom]

I did make a self signed SSL and it looks like the client checks for the correct signed SSL.

[Stealthii]

This is how HTTPS works. They wouldn't bother using it at all if certificate validation was disabled.

[Stealthii]

You have two options:

1. Get attendees at your LAN to install a trusted self-signed CA certificate you guys issue, and sign your certs with these.
2. Don't cache HTTPS endpoints.

There's no other way around it. If you control the machines at your LAN then option 1 may be a possibility. I doubt you'll get regular attendees to install certificates on their machines though.

[nexusofdoom]

More like GOG is trying to secure transmission channel instead of validating the package(think md5sum or gpg signature of the patch).

[nexusofdoom]

http://wiki.squid-cache.org/Features/HTTPS

Quick skim of the thread you reference brought squid & HTTPS to mind. Squid can be configured to cache HTTPS stuff.

Maybe some local DNS trickery and squid listening on 443 or nginx talking to it.

[nexusofdoom]

what about

Intercepting SSL And HTTPS Traffic With mitmproxy and SSLsplit or SSL Strip

https://www.trustwave.com/Resources/SpiderLabs-Blog/Intercepting-SSL-And-HTTPS-Traffic-With-mitmproxy-and-SSLsplit/

[cerealcable]

That's not really possible as was mentioned earlier. The point of SSL certificates is the certificate authorities and the certs they sign. If your cert isn't signed by a trusted Certificate Authority the client trusts, it would be rejected. You'd still need to generate and install the certificate authority onto client devices (ie other peopels computers at the LAN) for this to work, which I would wish upon nobody.

From the article:

To be able eavesdrop and modify HTTPS communication, mitmproxy pretends to

be the server to the client and the client to the server, while positioned in the middle it decodes traffic from both of them. Mitmproxy generates certificates on-the-fly to fool the client into believing that they are communicating with the server. To make the client trust newly forged certificates without raising warnings, it is necessary to manually register mitmproxy as a trusted CA with the device.

If it's HTTPS and all the devices are not directly managed by you, it's definitely outside of the possibility for you to do, I wouldn't trust your certificate if I was attending your event (no offense intended). It's too much to ask of attendee's in my opinion.

Morgan Humes

On Wed, Apr 26, 2017 at 7:58 PM, nexusofdoom notifications@github.com wrote:

what about

Intercepting SSL And HTTPS Traffic With mitmproxy and SSLsplit

https://www.trustwave.com/Resources/SpiderLabs-Blog/ Intercepting-SSL-And-HTTPS-Traffic-With-mitmproxy-and-SSLsplit/

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bntjah/lancache/issues/13#issuecomment-297581810, or mute the thread https://github.com/notifications/unsubscribe-auth/AAi-Y3qDRrxAVQr-ti5N-Uny3oogearqks5rz-gfgaJpZM4IKtQ_ .

[nexusofdoom]

Man in the Middle Hacking Fun with SSL Strip https://www.youtube.com/watch?v=PmtkJKHFX5Q

[nexusofdoom]

One thing for LAN Gaming Centers that Have there own Systems they could install there own self signed SSL Certs. examples like Firewall manufactures for large company's = http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/

Options

1. Public Events - might not want to install the Self Signed Cert. / Use Caching providers that only use HTTP and md5sum or gpg signature.

2. Office Setup or Gaming Center - Install Self Signed Cert on your hardware.

[fhibler]

Whilst it would be helpful to have this kind of HTTPS caching via MITM I'd strongly not recommend the installation of the Self-signed CA as it could be used to intercept personal communication (Facebook, etc.).

I completely agree with @cerealcable and I would for the above mentioned reasons not ask/offer this to the attendees. Data protection/privacy is a serious topic and would have to be mentioned in some kind of "Event rules". Could cause a lot of negative publicity.

[nexusofdoom]

So public would not have to install a CA. on the negative publicity having a CA on a box that only accepts connections for DNS name it would not do FACEBOOK or any other sites just the ones defined in unbount.conf since the vhost nginx config files would need to be setup to use the self signed cert. per vhost config.

---

But a LAN-CENTER that Has there own computers could install the CA since large company's, schools and hospitals all ready do SSL HTTPS Inspection for DATA LOSS Prevention.

[bntjah]

As its HTTPs and we have no valid way to cache https yet, perhaps a transparent proxy? I am closing this