id,summary,reporter,owner,description,type,status,component,version,resolution,keywords,cc,guest,host
12815,Downloads hash page not protected by https,henn,,"The virtualbox [https://www.virtualbox.org/wiki/Downloads downloads webpage] helpfully links to [http://download.virtualbox.org/virtualbox/4.3.8/SHA256SUMS another page] where one can check that the cyptographic hash for the installer matches the server's.

The download URL as well as the page containing the cryptographic hashes, however, do not have https protection, meaning that it wouldn't be too difficult for an attacker to substitute the real virtualbox installer for one that contains malicious code. This attacker could include anyone ranging from someone sharing an open wifi connection to someone with access to a user's upstream connections.

Could the SHA256 and MD5 links on the [https://www.virtualbox.org/wiki/Downloads downloads page] please be https-protected?

On top of that, could the www.virtualbox.org webpage default to https?

Thanks in advance.
",defect,closed,other,VirtualBox 4.3.8,fixed,security web,,other,all