Opened 10 years ago
Closed 10 years ago
#12815 closed defect (fixed)
Downloads hash page not protected by https
| Reported by: | henn | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox 4.3.8 |
| Keywords: | security web | Cc: | |
| Guest type: | other | Host type: | all |
Description
The virtualbox downloads webpage helpfully links to another page where one can check that the cyptographic hash for the installer matches the server's.
The download URL as well as the page containing the cryptographic hashes, however, do not have https protection, meaning that it wouldn't be too difficult for an attacker to substitute the real virtualbox installer for one that contains malicious code. This attacker could include anyone ranging from someone sharing an open wifi connection to someone with access to a user's upstream connections.
Could the SHA256 and MD5 links on the downloads page please be https-protected?
On top of that, could the www.virtualbox.org webpage default to https?
Thanks in advance.
Very right. Switching the download server to support the HTTPS protocol is planned but this will take time. For now, www.virtualbox.org is fully capable of HTTPS and even switches to HTTPS by default. I've put the hashes to www.virtualbox.org. Thank you for this report!