[vbox-dev] Guest Additions are being downloaded over insecure HTTP
George Kadianakis
desnacked at riseup.net
Sun Aug 10 14:58:46 GMT 2014
Hello there!
It seems that VirtualBox downloads the guest additions ISO over
HTTP. This is not a good idea, since code is being executed from that
ISO, and if it's downloaded over HTTP any network attacker can MITM
and replace with her own ISO.
It would be better, I think, if the download happened over SSL (using
HTTPS). Maybe in the future you could also use digital signatures to
protect the download.
{{{ UIDownloaderAdditions::UIDownloaderAdditions():
/* Prepare source/target: */
const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
}}}
Thank you!
More information about the vbox-dev
mailing list