[vbox-dev] Guest Additions are being downloaded over insecure HTTP
desnacked at riseup.net
Sun Aug 10 14:58:46 UTC 2014
It seems that VirtualBox downloads the guest additions ISO over
HTTP. This is not a good idea, since code is being executed from that
ISO, and if it's downloaded over HTTP any network attacker can MITM
and replace with her own ISO.
It would be better, I think, if the download happened over SSL (using
HTTPS). Maybe in the future you could also use digital signatures to
protect the download.
/* Prepare source/target: */
const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
More information about the vbox-dev