[vbox-dev] Guest Additions are being downloaded over insecure HTTP

George Kadianakis desnacked at riseup.net
Sun Aug 10 14:58:46 UTC 2014

Hello there!

It seems that VirtualBox downloads the guest additions ISO over
HTTP. This is not a good idea, since code is being executed from that
ISO, and if it's downloaded over HTTP any network attacker can MITM
and replace with her own ISO.

It would be better, I think, if the download happened over SSL (using
HTTPS). Maybe in the future you could also use digital signatures to
protect the download.

{{{ UIDownloaderAdditions::UIDownloaderAdditions():
    /* Prepare source/target: */
    const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
    const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
    const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);

Thank you!

More information about the vbox-dev mailing list