VirtualBox

Opened 8 years ago

Last modified 8 years ago

#15388 new defect

Please enable HTTPS for downloads

Reported by: jared Owned by:
Component: other Version: VirtualBox 5.0.20
Keywords: security Cc:
Guest type: other Host type: other

Description

I submitted this security vulnerability to secalert_us@… but they feel it is mitigated by the existing practice of securely publishing checksums, and asked me to publish the vulnerability here.

As most users will not go through the trouble of manually verifying a checksum, please enable HTTPS for downloads.

This was suggested almost two years ago in https://www.virtualbox.org/ticket/13318 but this vulnerability still exists.

Change History (2)

comment:1 by jared, 8 years ago

Oh, and thanks for all the great work that goes into VirtualBox, it's a great project!

comment:2 by Frank Mehnert, 8 years ago

Just to clarify: Not providing a HTTPS download service is NOT a security vulnerability. No doubt that a HTTPS service is convenient and automatically protects the user from man-in-the-middle attacks. But as written above, there are hashes available.

Note: See TracTickets for help on using tickets.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette