Opened 8 years ago
Last modified 8 years ago
#15388 new defect
Please enable HTTPS for downloads
Reported by: | jared | Owned by: | |
---|---|---|---|
Component: | other | Version: | VirtualBox 5.0.20 |
Keywords: | security | Cc: | |
Guest type: | other | Host type: | other |
Description
I submitted this security vulnerability to secalert_us@… but they feel it is mitigated by the existing practice of securely publishing checksums, and asked me to publish the vulnerability here.
As most users will not go through the trouble of manually verifying a checksum, please enable HTTPS for downloads.
This was suggested almost two years ago in https://www.virtualbox.org/ticket/13318 but this vulnerability still exists.
Change History (2)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
Just to clarify: Not providing a HTTPS download service is NOT a security vulnerability. No doubt that a HTTPS service is convenient and automatically protects the user from man-in-the-middle attacks. But as written above, there are hashes available.
Oh, and thanks for all the great work that goes into VirtualBox, it's a great project!