Question: Bioconductor Installation may be insecure against man-in-the-middle attacks
0
4.0 years ago by
United States
will.townes0 wrote:

The installation procedure for bioconductor may be vulnerable to man-in-the-middle attacks, because it is calling source() on an HTTP URL. I am not a security expert but it seems like HTTPS should be used instead, or perhaps some kind of signing of the code, and/or verifying using checksums? If the current procedure is actually secure, please explain why we should not be worried. Maybe there is something about the source() function that prevents these attacks, but I did not find it in the documentation. I have asked this question on Stack Overflow as well.

modified 4.0 years ago by Dan Tenenbaum8.2k • written 4.0 years ago by will.townes0

I just updated my version of R and it now appears to be supporting HTTPS URLs for installing packages from CRAN. I tried using the source() bioconductor with HTTPS instead of HTTP and it worked. I recommend you all to update the documentation on the main page, as well as the biocLite() function, to improve security.

We will do this when https support is in an officially released version of R (which will be version 3.2.2 later this month).

Thanks.

Answer: Bioconductor Installation may be insecure against man-in-the-middle attacks
2
4.0 years ago by
Dan Tenenbaum8.2k
United States
Dan Tenenbaum8.2k wrote:

Base R does not support HTTPS out of the box (though I hear this may change soon), it's available through add-on packages such as RCurl.

If you want to install the current release of  Bioconductor (3.1) without using source(), do this:

install.packages("BiocInstaller",
repos="http://bioconductor.org/packages/3.1/bioc")
library(BiocInstaller) # the biocLite() command is now available

Oops, the current release version of Bioconductor is 3.1. Edited message to reflect that.

Thanks! Would it make sense to provide this information on the installation page so that other users like myself who may not be savvy to security issues can avoid the MITM risk? It seems like the more secure method should be suggested as the default procedure.

The method suggested above does not avoid the MITM risk. It just avoids using source() which could potentially execute malicious code if there was a MITM. It does not prevent you from executing malicious code inside packages that you download since the MITM could substitute bad packages for good ones (and checksums would not help in this case).  It may be that install.packages() and friends (upon which biocLite() is based) will be updated to use HTTPS, hopefully before the next R release.