VirtualBox

Ticket #15388 (new defect)

Opened 6 years ago

Last modified 6 years ago

Please enable HTTPS for downloads

Reported by: jared Owned by:
Component: other Version: VirtualBox 5.0.20
Keywords: security Cc:
Guest type: other Host type: other

Description

I submitted this security vulnerability to secalert_us@… but they feel it is mitigated by the existing practice of securely publishing checksums, and asked me to publish the vulnerability here.

As most users will not go through the trouble of manually verifying a checksum, please enable HTTPS for downloads.

This was suggested almost two years ago in https://www.virtualbox.org/ticket/13318 but this vulnerability still exists.

Change History

comment:1 Changed 6 years ago by jared

Oh, and thanks for all the great work that goes into VirtualBox, it's a great project!

comment:2 Changed 6 years ago by frank

Just to clarify: Not providing a HTTPS download service is NOT a security vulnerability. No doubt that a HTTPS service is convenient and automatically protects the user from man-in-the-middle attacks. But as written above, there are hashes available.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use