[vbox-dev] Guest Additions are being downloaded over insecure HTTP

Klaus Espenlaub klaus.espenlaub at oracle.com
Mon Aug 11 10:06:56 UTC 2014


can you make a clear statement what package you're using? None of the 
packages from virtualbox.org should ever execute this code path.

As mentioned before, it is included in the host package and thus the 
download will not be attempted. The download feature has been 
implemented ages ago to simplify 3rd party packaging of the "OSE" variant.

We are already strongly pushing for HTTPS support on 
download.virtualbox.org, but it's operated by a different team and 
handles many more products/projects. All equipment the VirtualBox team 
is operating can't handle multi-Terabyte/day volume. So yes, SSL would 
be better but unfortunately isn't easily available.


On 11.08.2014 10:40, quickbooks office wrote:
> Isn't the guest additions ISO file included in the Installer package?
> On Sun, Aug 10, 2014 at 7:58 AM, George Kadianakis <desnacked at riseup.net> wrote:
>> Hello there!
>> It seems that VirtualBox downloads the guest additions ISO over
>> HTTP. This is not a good idea, since code is being executed from that
>> ISO, and if it's downloaded over HTTP any network attacker can MITM
>> and replace with her own ISO.
>> It would be better, I think, if the download happened over SSL (using
>> HTTPS). Maybe in the future you could also use digital signatures to
>> protect the download.
>> {{{ UIDownloaderAdditions::UIDownloaderAdditions():
>>      /* Prepare source/target: */
>>      const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
>>      const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
>>      const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
>> }}}
>> Thank you!

More information about the vbox-dev mailing list