VirtualBox

Ticket #13318 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

irtualBox installation security issue

Reported by: chengas123 Owned by:
Component: installer Version: VirtualBox 4.3.14
Keywords: Cc:
Guest type: Linux Host type: Linux

Description

The VirtualBox Linux installation instructions (https://www.virtualbox.org/wiki/Linux_Downloads) are insecure.

In particular this line caused me to take note of what users are being told to do: wget -q  http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

A signing key should not be transferred over insecure channels such as http or else its security properties are lost since anyone who could MITM the software package could also MITM the signing key.

It would also be wise to host the Debian repositories via an https site instead of http.

Change History

comment:1 Changed 5 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

It is true that the actual packages are currently only available on a site which does not support the HTTPS protocol. However, the oracle_vbox.asc key is also available on https://www.virtualbox.org/download/oracle_vbox.asc . I fixed a few links on the Linux download page to point to the HTTPS location. Allowing HTTPS for downloading the packages is another thing which is being worked on but this is not a subject for such a bug report.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use