George, can you make a clear statement what package you're using? None of the packages from virtualbox.org should ever execute this code path.
As mentioned before, it is included in the host package and thus the download will not be attempted. The download feature has been implemented ages ago to simplify 3rd party packaging of the "OSE" variant. We are already strongly pushing for HTTPS support on download.virtualbox.org, but it's operated by a different team and handles many more products/projects. All equipment the VirtualBox team is operating can't handle multi-Terabyte/day volume. So yes, SSL would be better but unfortunately isn't easily available. Klaus On 11.08.2014 10:40, quickbooks office wrote: > Isn't the guest additions ISO file included in the Installer package? > > On Sun, Aug 10, 2014 at 7:58 AM, George Kadianakis <[email protected]> > wrote: >> Hello there! >> >> It seems that VirtualBox downloads the guest additions ISO over >> HTTP. This is not a good idea, since code is being executed from that >> ISO, and if it's downloaded over HTTP any network attacker can MITM >> and replace with her own ISO. >> >> It would be better, I think, if the download happened over SSL (using >> HTTPS). Maybe in the future you could also use digital signatures to >> protect the download. >> >> {{{ UIDownloaderAdditions::UIDownloaderAdditions(): >> /* Prepare source/target: */ >> const QString &strName = >> QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized()); >> const QString &strSource = >> QString("http://download.virtualbox.org/virtualbox/%1/";).arg(vboxGlobal().vboxVersionStringNormalized()) >> + strName; >> const QString &strTarget = >> QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName); >> }}} >> >> Thank you! >> _______________________________________________ vbox-dev mailing list [email protected] https://www.virtualbox.org/mailman/listinfo/vbox-dev
