Bioconductor Installation may be insecure against man-in-the-middle attacks
1
0
Entering edit mode
@willtownes-8097
Last seen 12 months ago
United States

The installation procedure for bioconductor may be vulnerable to man-in-the-middle attacks, because it is calling source() on an HTTP URL. I am not a security expert but it seems like HTTPS should be used instead, or perhaps some kind of signing of the code, and/or verifying using checksums? If the current procedure is actually secure, please explain why we should not be worried. Maybe there is something about the source() function that prevents these attacks, but I did not find it in the documentation. I have asked this question on Stack Overflow as well.

security http source installation • 944 views
0
Entering edit mode

I just updated my version of R and it now appears to be supporting HTTPS URLs for installing packages from CRAN. I tried using the source() bioconductor with HTTPS instead of HTTP and it worked. I recommend you all to update the documentation on the main page, as well as the biocLite() function, to improve security.

0
Entering edit mode

We will do this when https support is in an officially released version of R (which will be version 3.2.2 later this month).

Thanks.

2
Entering edit mode
Dan Tenenbaum ★ 8.2k
@dan-tenenbaum-4256
Last seen 8 months ago
United States

Base R does not support HTTPS out of the box (though I hear this may change soon), it's available through add-on packages such as RCurl.

If you want to install the current release of  Bioconductor (3.1) without using source(), do this:

install.packages("BiocInstaller",
repos="http://bioconductor.org/packages/3.1/bioc")
library(BiocInstaller) # the biocLite() command is now available

0
Entering edit mode

Oops, the current release version of Bioconductor is 3.1. Edited message to reflect that.

0
Entering edit mode

Thanks! Would it make sense to provide this information on the installation page so that other users like myself who may not be savvy to security issues can avoid the MITM risk? It seems like the more secure method should be suggested as the default procedure.

0
Entering edit mode

The method suggested above does not avoid the MITM risk. It just avoids using source() which could potentially execute malicious code if there was a MITM. It does not prevent you from executing malicious code inside packages that you download since the MITM could substitute bad packages for good ones (and checksums would not help in this case).  It may be that install.packages() and friends (upon which biocLite() is based) will be updated to use HTTPS, hopefully before the next R release.

0
Entering edit mode

OK, so it sounds like at this point there is no way to avoid the MITM risk until HTTPS is supported by base R. I guess I'll just keep using the default installation method and hope that HTTPS support comes soon.