Opened 10 years ago
Closed 10 years ago
#13318 closed defect (fixed)
irtualBox installation security issue
| Reported by: | chengas123 | Owned by: | |
|---|---|---|---|
| Component: | installer | Version: | VirtualBox 4.3.14 |
| Keywords: | Cc: | ||
| Guest type: | Linux | Host type: | Linux |
Description
The VirtualBox Linux installation instructions (https://www.virtualbox.org/wiki/Linux_Downloads) are insecure.
In particular this line caused me to take note of what users are being told to do: wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
A signing key should not be transferred over insecure channels such as http or else its security properties are lost since anyone who could MITM the software package could also MITM the signing key.
It would also be wise to host the Debian repositories via an https site instead of http.
Note:
See TracTickets
for help on using tickets.
It is true that the actual packages are currently only available on a site which does not support the HTTPS protocol. However, the oracle_vbox.asc key is also available on https://www.virtualbox.org/download/oracle_vbox.asc . I fixed a few links on the Linux download page to point to the HTTPS location. Allowing HTTPS for downloading the packages is another thing which is being worked on but this is not a subject for such a bug report.