This issue is still not resolved. The browser used by Galaxy still does not show the TLS certificate status.
This is an absolute no-go.

Absolutely. I will no longer use plugins in Galaxy, and this information should be more widespread.

i would also love to use toilet, wlan and electricity from mcdonalds without ordering a meal.....

It will always and it is absolutely fair, that Steam Games communicate via steam.
If you dont want this dont buy games on steam....

The only Thing Gog Does is collecting everithing and showing it on one place. And that's what was realistic and just the thing I wanted it to do....

Have the gog galaxy team commented on this?

I'm pretty sure they don't have to, as the Steam plugin isn't considered an official integration.
As far as anyone is concerned, integration with third-party connectors should be done at your own risk, for reasons described by OP.

I really do wish that, at the very least, there would be an official Steam plugin, since it's by far the most popular platform on PC.

EDIT: Seems like an issue was opened on Github about this, if anyone wants to read further:
https://github.com/FriendsOfGalaxy/galaxy-integration-steam/issues/2

I doubt Valve would be happy abut that :)

This is also a big concern of mine. And I'm disappointed at the number of people in this thread who just don't understand the issue at all.

No one is saying there shouldn't be a unified launcher.
No one is saying they need special permission from other launchers.

The issue is that GOG is pulling code off of some random github, running it on your computer, and at some point during that process it asks for your login credentials. Unless they have take special precautions to ensure security, I could go write a malicious integration for steam right now, put it on github, and use it to man-in-the-middle everyone's login info. And yeah it's posted publicly and anyone can go audit it, but in the real world there is more open source code in the world than eyes willing to scrutinize it. If I obfuscate it slightly I could probably go a while without anyone noticing.

So I would also like it if someone from GOG could communicate with us about what steps they're taking to ensure this doesn't happen, but more importantly make us feel confident that it can't happen. Ex. as OP mentioned, if the login happened in your browser of choice you can be reasonably confident that you're viewing the actual steam/blizzard/whatever website and that a secure TLS connection has been made. At that point you're at least as secure as you would be when logging in from your browser any other time.

How does this hypothetical hacker get access to my phone so they can verify that they are me? I could paint my Steam login details on the side of a building in the centre of town and people still won't get into my account, they'll just trigger the illegal login protocol that will alert me by email that someone has my password.

I don't see a problem here. It's nice to have all my games under one roof, instead of launching one game manager after another. I have 4 game managers Steam, GOG, Uplay, and Origin. Having the ability to play my games through one client is the best thing GOG has done.

you're getting "connection lost" error in galaxy and steam login form, you fill the data, then steam asks you for auth numbers (from email or from your mobile app). you're entering it and at this moment you have provided everything hacker needs to login into your account and hijack it. gog provides login form without any signs if it's original to valve's site, without ability to check certificates (if it's issued for Valve) so you can easily give your data to any one interested in that data :)

Again, no one is saying there shouldn't be a unified launcher. It's like saying, "I like living in my house, I don't see why we need locks on the doors". Putting locks on the doors doesn't mean you can't live in a house.

To extend this analogy to an almost absurd degree, the situation is more like: you have a house and there ARE locks on the doors, but there's a guy blocking the door who presents you with a keyhole (the integration plugin). And when you put your key in you can't be sure if the keyhole goes directly to your door or to a fake doorknob that makes a copy of your key in the process (the login form is just some HTML that could be coming from a MITM attack). All I'm asking is that we add the ability to be sure it's actually your doorknob you're putting your key in (display that the TLS signature has been verified).

Your user experience wouldn't change at all except that there would be a little icon indicating that your GOG client has verified that the federated login form is actually coming from the site you think it is.

Edit: I've done enough experimenting locally that I'm convinced a MITM would be trivial and undetectable by the user. I hosted a copy of the steam login page on my own machine without any SSL/TLS cert, then changed 1 line in my steam plugin to direct there instead of the steam login page. I opened GOG2.0 and started the steam integration process and it hosted my fake page no questions asked. There is no indication that I'm on a fake login screen except for the fact that I edited the sign in button. At this point all my fake server would have to do is pass the login info on to steam using exactly the same code the plugin does and pretend nothing weird is happening.

So unless there's some rigorous security process that commits go through before being whitelisted for use by the GOG client, any one of the dozens of github integration maintainers could wake up one day and push a commit that starts logging people's info. Sure, they probably get caught, but only after how many victims have their accounts pwned? And it could all be avoided entirely if the GOG client validated certs.

I know the client is new, I know there are people working their asses off getting it working and stable, and I appreciate every second of their hard work. I just don't want to see one bad actor somewhere put GOG in headlines for bad security. That could ruin people's trust in the platform, and I desperately want to see it succeed.

well said. people who can't see full picture with code can't understand what we're asking for (and why). they think we just hate on gog or something. you forgot to mention another way to get an access to user data - creation of separate plugin, fake replica somewhere on github. it's much easier than hijacking old github account. do you recall situation with steam idle master (or whatever its name)? there was one (original) version on github and google served fake Russian replica as #1 in search results for this app. How many users downloaded and used it without knowing it is not real?
if there will be fake steam plugin and good promotion with google that's even scarier than breach of main plugin.