Question: Bioconductor Installation may be insecure against man-in-the-middle attacks
0
gravatar for will.townes
4.1 years ago by
United States
will.townes0 wrote:

The installation procedure for bioconductor may be vulnerable to man-in-the-middle attacks, because it is calling `source()` on an HTTP URL. I am not a security expert but it seems like HTTPS should be used instead, or perhaps some kind of signing of the code, and/or verifying using checksums? If the current procedure is actually secure, please explain why we should not be worried. Maybe there is something about the `source()` function that prevents these attacks, but I did not find it in the documentation. I have asked this question on Stack Overflow as well.

ADD COMMENTlink modified 4.1 years ago by Dan Tenenbaum8.2k • written 4.1 years ago by will.townes0

I just updated my version of R and it now appears to be supporting HTTPS URLs for installing packages from CRAN. I tried using the source() bioconductor with HTTPS instead of HTTP and it worked. I recommend you all to update the documentation on the main page, as well as the biocLite() function, to improve security.

ADD REPLYlink written 4.0 years ago by will.townes0

We will do this when https support is in an officially released version of R (which will be version 3.2.2 later this month).

Thanks.

ADD REPLYlink written 4.0 years ago by Dan Tenenbaum8.2k
Answer: Bioconductor Installation may be insecure against man-in-the-middle attacks
2
gravatar for Dan Tenenbaum
4.1 years ago by
Dan Tenenbaum8.2k
United States
Dan Tenenbaum8.2k wrote:

Base R does not support HTTPS out of the box (though I hear this may change soon), it's available through add-on packages such as RCurl.

If you want to install the current release of  Bioconductor (3.1) without using source(), do this:

install.packages("BiocInstaller",
    repos="http://bioconductor.org/packages/3.1/bioc") 
library(BiocInstaller) # the biocLite() command is now available

 

ADD COMMENTlink modified 4.1 years ago • written 4.1 years ago by Dan Tenenbaum8.2k

Oops, the current release version of Bioconductor is 3.1. Edited message to reflect that.

ADD REPLYlink modified 4.1 years ago • written 4.1 years ago by Dan Tenenbaum8.2k

Thanks! Would it make sense to provide this information on the installation page so that other users like myself who may not be savvy to security issues can avoid the MITM risk? It seems like the more secure method should be suggested as the default procedure.

ADD REPLYlink written 4.1 years ago by will.townes0

The method suggested above does not avoid the MITM risk. It just avoids using source() which could potentially execute malicious code if there was a MITM. It does not prevent you from executing malicious code inside packages that you download since the MITM could substitute bad packages for good ones (and checksums would not help in this case).  It may be that install.packages() and friends (upon which biocLite() is based) will be updated to use HTTPS, hopefully before the next R release. 

ADD REPLYlink written 4.1 years ago by Dan Tenenbaum8.2k

OK, so it sounds like at this point there is no way to avoid the MITM risk until HTTPS is supported by base R. I guess I'll just keep using the default installation method and hope that HTTPS support comes soon.

ADD REPLYlink written 4.1 years ago by will.townes0
Please log in to add an answer.

Help
Access

Use of this site constitutes acceptance of our User Agreement and Privacy Policy.
Powered by Biostar version 16.09
Traffic: 182 users visited in the last hour