[vbox-dev] Guest Additions are being downloaded over insecure HTTP
quickbooks office
quickbooks.office at gmail.com
Mon Aug 11 08:40:40 GMT 2014
Isn't the guest additions ISO file included in the Installer package?
On Sun, Aug 10, 2014 at 7:58 AM, George Kadianakis <desnacked at riseup.net> wrote:
> Hello there!
>
> It seems that VirtualBox downloads the guest additions ISO over
> HTTP. This is not a good idea, since code is being executed from that
> ISO, and if it's downloaded over HTTP any network attacker can MITM
> and replace with her own ISO.
>
> It would be better, I think, if the download happened over SSL (using
> HTTPS). Maybe in the future you could also use digital signatures to
> protect the download.
>
> {{{ UIDownloaderAdditions::UIDownloaderAdditions():
> /* Prepare source/target: */
> const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
> const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
> const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
> }}}
>
> Thank you!
>
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> https://www.virtualbox.org/mailman/listinfo/vbox-dev
More information about the vbox-dev
mailing list