So... here we go again.

For a while GOG page was operating served solely by scripts stored server-side on GOG's end. Then, right around the time new Privacy Policy got rolled out, Amazon AWS suddenly came into picture where you couldn't log into the store without allowing their scripts. Credit where it's due, GOG reverted that after feedback.

Page worked, you could block all the usual data-miners like Google, Facebook, and the like.

Now, apparently, we're feeding Tencent, of all things.

Domain Name:gog-statics.com
Registrar WHOIS Server:whois.dnspod.com
Registrar URL:https://www.dnspod.com/
Updated Date:2019-10-15 17:36:21
Creation Date:2019-10-09 02:10:49
Registrar Registration Expiration Date:2020-10-09 02:10:49
Registrar:DNSPod, Inc.
Registrar IANA ID:1697
Registrar Abuse Contact Email:email@tencent.com
Registrar Abuse Contact Phone:+86.4009100100-9
Domain Status:ok https://www.icann.org/epp#ok
Name Server:NS-298.AWSDNS-37.COM
Name Server:NS-1163.AWSDNS-17.ORG
Name Server:NS-1569.AWSDNS-04.CO.UK
Name Server:NS-663.AWSDNS-18.NET

You know, GOG, for all the stunts you pulled trying to appeal to greater range of users, how about focusing on your user's privacy as a selling point?

Also, please make it possible to log into your store page without allowing third-party hosted scripts again. I have a lot of games in my library that I do not appreciate being hostage to your constant push for ubiquitous data-mining.

Thank you.

Privacy is long since dead, welcome to the new world of sky net, and no, I am really not kidding.

[REDACTED]

I don't think a lack of privacy was the main problem with Skynet... unless seeing everything we've ever posted to social media was what made it decide to wipe out the human race in the first place, in which case I can fully sympathise with it.

What or how exactly do you think we are feeding them?

What?

Quite a lot, actually. Aside from basic connectivity data that gets scrapped (IP address, referral information, etc), and user agent information that's core and staple of pretty much any online tracking, presumably there's quite a lot more considering how many scripts are hosted there.

Here, I'll even conveniently provide you with a list of currently active ones I found, but don't expect me to do a full security audit on them:

https://menu-static.gog.com/assets/js/footer/v2/bundle_min.1b2afb5e667f07614837fb8189136d70bbfe4cb3.js
https://menu-static.gog.com/assets/js/v2/bundle_min.1b2afb5e667f07614837fb8189136d70bbfe4cb3.js
https://menu-static.gog.com/assets/js/v2/gog-module-pusher-client_min.js
https://menu-static.gog.com/assets/js/v2/gog-module-topic-parsers_min.js
https://menu-static.gog.com/assets/js/v2/gog-module-user-storage_min.js

https://www4-static.gog.com/js/bigSpot-b59ab96.js
https://www4-static.gog.com/js/bigSpotCarousel-27258fb.js
https://www4-static.gog.com/js/customSection-83f28e1.js
https://www4-static.gog.com/js/frontpage2-3296db8.js
https://www4-static.gog.com/js/frontpageLoginTracking-244ee7b.js
https://www4-static.gog.com/js/localeCheck-f7a6621.js
https://www4-static.gog.com/js/loginTracking-16c246d.js
https://www4-static.gog.com/js/nowOnSale-89027bc.js

My point is that GOG storepage worked perfectly well with all of this being hosted on GOG.com domain, instead of by a Chinese entity, of all the possibilities. A subsidiary of Tencent, none the less, and don't expect me to explain everything about Tencent and their connection to CCP - plenty of information for your convenient education available at your favorite search engine.

But this is GOG, the same company that introduced Facebook integration days after Facebook got caught with the whole Cambridge Analytica thing, so I guess I shouldn't be that surprised.

"There". You haven't demonstrated how any of that ends up at Tencent, or what is hosted at Tencent, or why gog-statics.com (which doesn't resolve) is relevant. What is the relationship between those scripts and Tencent?

Could this have anything to do with GOG's pages loading noticably slower of late?

Maybe CD Projekt group ran out of money and this Tencent stepped in?

>gog-statics.com

>menu-static.gog.com
>www4-static.gog.com

>My point is that GOG storepage worked perfectly well with all of this being hosted on GOG.com domain

https://derpicdn.net/img/view/2014/4/28/611984.jpg

You are right, being careless (and rushed when I posted), I did a thing.

So, here's the ones that are up right now:

https://static-login.gog-statics.com/js/7d3cec2-ad69d4d.js

https://static-login.gog-statics.com/js/2c420b1-ad69d4d.js

Edit: And, by the by, the second script seems to be a (modified) copy of Jquerry.js, and includes even things like extended file upload functionality. Just what I'd love to have hosted on a Chinese server were I in charge of security of any company not operating in China (where you basically have to do locally what you're told because CPC).

As it happens, they control the login popup. I have no idea who thought getting a Chinese company involved at all was a good idea, much less getting involved in actual website login.

As for Tencent's involvement with DNSpod, can't find the article I dug out in the morning, but here's one blurb:

"DNSPod is a Chinese intelligent DNS hosting service provider launched in in March, 2006 and acquired by Tencent in August 2011"

https://chineseseoshifu.com/blog/dnspod-in-china.html

DNSPod.cn is well known in security circles. They have Chinese security sentiments (take it as you will), and there have been plenty of major infractions committed using their service. The last largest one was, I believe, GandCrab ransomware.

Keep in mind that China not only has extremely stringent requirements for own IT companies to "cooperate" with whatever requirements the government (or powerful enough individuals within it, or malicious agents taking advantage of lack security practices in the first place) require, not only ignores international trade agreements on regular basis, not only engages in systemic spying of individuals of interest and companies, not only has actual honest to $government_approved_deity "social credit score" that relies on mass surveillance, not only... well, you get the idea.

To give this huge of a security hole potential to a Chinese agent is baffling, especially for a company from Europe with its, at least provisional, attempts at safeguarding privacy of its citizens. General data-mining completely aside.

And the bottom line is this - you literally cannot log into your GOG library without allowing these scripts. Something that worked the last time I did my batch installer backup. Admittedly, it has been a while, since GOG's graphical overhaul discouraged me from keeping up with the news, and, coupled with all the other changes over the years, soured my desire to put money into a company I had been vocally supporting since its inception. GOG is still probably the best distro platform around right now, but I can't say I'm happy with the direction they went. This specific instance being just one of the highly questionable choices they've made.

Anyway, tl;dr: You can't log into GOG without allowing scripts from a Chinese company, owned by Tencent. Hooray.

Actually you still can at least for the moment. The shit, not even minified, external jquery is used to display the form, but you can workaround that. You can either go to the login form directly (https://login.gog.com/login), you need to change some CSS to actually display the form or I actually managed a Stylus script, that's with a U, that will display it when logging in from a forum page. You can find it here.

Seriously GOG how difficult is it to have the crap jquery hosted on your own damn domain.

You're way out of line here, bruh. It was your own government that pushed globalism down the world's throat, not the Chinese government. o.O

Hold your horses. We are talking about a DNS hosting service. Do you understand the difference between DNS and web hosting? Because the quote below does not suggest you do: Your DNS resolver will not send any of that, and even your IP is probably going to be hidden because you use your ISP's (or someone else's) caching nameserver rather than going directly for the authoritative nameserver for each given domain you visit. Scripts are not hosted on a DNS server or domain name registrar.

You're making the claim that these scripts are hosted in China but I still see no evidence. I see that all of these domains are fronted by the same CDN, and all of them resolve to IPs in ranges owned by US companies.

$ host menu-static.gog.com
menu-static.gog.com is an alias for cs570.wac.deltacdn.net.
cs570.wac.deltacdn.net has address 192.229.233.146
$ host www4-static.gog.com
www4-static.gog.com is an alias for cs570.wac.deltacdn.net.
cs570.wac.deltacdn.net has address 192.229.233.146
$ host static-login.gog-statics.com
static-login.gog-statics.com is an alias for cs1364.wpc.deltacdn.net.
cs1364.wpc.deltacdn.net has address 152.199.21.209

Even if a malicious DNS provider could redirect your connection to a malicious host, they should not have GOG's private keys and thus encryption will fail and your browser will scream loud about it. It would take another fuckup for private keys to end up in the DNS provider's hands.

So if you're making the claim that we're sending data to China, you've got to provide more evidence than a Chinese registrar. (I'm a domain name registrar too, btw, and it doesn't mean I automatically get any traffic for the domains I've registered)

My ping times to static-logins.gog-statics.com are so low that it is not physically possible for the host to reside in China.

None of the DNS servers GOG uses are "first party." Most businesses have no reason to run their own authoritative DNS.

None of the registrars GOG uses are "first party." Most businesses have no reason to become their own registrar.

From a privacy perspective, these are not relevant.

Why do you think one of these domains is not owned by gog while the other is? It is possible to own multiple domains, you know. I do. Of course, only to the extent that you can actually "own" a domain. On the Internet, everything is sorta leased. I'm a registrar, and I can create domains directly under the .fi TLD, but these still expire unless money changes hands.

DNSPod.cn also offers web hosting, including cloud CDN services using Tencent's infrastructure.
Coolio, can you also dig out who actually owns these servers, and more importantly, what their privacy policy is?

Because according to GOG's own, any data processed by the third-parties "partners" is not covered by GOG's own privacy policy, and I couldn't even find a web site for ANS Communications, Inc. (last time I heard that name was in dinosaur ages when AOL sold them), or deltacdn.net, either.

Because while the script hosting servers not being located in Chinese mainland itself is a slight improvement of the matter, I can't say having them in our "privacy? what privacy, you plebe, that's billions of USD worth of business" glorious nation inspires much confidence, either.
Somebody owns those servers, and I see no utilitarian reason for GOG.com not to host login scripts within their main sub-domain range, even if (something I sincerely doubt) the "gog-statics.com" domain is theirs.

At worst, it breaks functionality of privacy protection tools by adding an ambiguous (at best) entity into the equation, not to mention
Wait, what?

In what world do DNS hijacks do not exist? Do you think a hypothetical Chinese corporation, pretty much controlled by the CPC with their focus on worldwide espionage, would hesitate for a moment before doing something that'd be unlikely to be found out, much less proven, by anybody outside their sphere of control?
Considering that GOG already had played around using third parties (heavily focused on datamining the "users" of its customers) for exactly the same kind of files in the past, the fact that moving these scripts to a distinct domain away from gog.com makes using privacy-protection tools all that much more difficult (particularly considering complete lack of information on who exactly is involved, and what their "privacy policy" is - the latter something I thought GDPR itself prohibited), and that GOG development team has a tendency to completely ignore user privacy in the first place, I'd rather err on the side of caution.

Bottom line is, I still can't access my game library without being exposed to third parties, which was something possible before this change. There was a reason I objected in the same way when GOG involved Amazon's AWS exactly in the same capacity (as Gydion mentioned above, whatever reasons GOG has for hosting these files away from its main GOG.com servers is not apparent, but certainly not a good security practice), so no, the fact these files are hosted on servers in the US, with our manufactured regression in public privacy practices, does not make me any happy.

Not to mention that the Chinese have been pumping trillions of dollars into our businesses, and I have neither the time nor quick tools to verify who owns those servers in the first place. Something I don't think is a reasonable expectation of any GOG's customer, despite the privacy policy demanding it.

tl;dr: Whatever the details, still can't access my library without allowing third-party scripts. Something that had been possible for a long time.