Bioconductor Installation may be insecure against man-in-the-middle attacks
1
0
Entering edit mode
@willtownes-8097
Last seen 4.2 years ago
United States

The installation procedure for bioconductor may be vulnerable to man-in-the-middle attacks, because it is calling `source()` on an HTTP URL. I am not a security expert but it seems like HTTPS should be used instead, or perhaps some kind of signing of the code, and/or verifying using checksums? If the current procedure is actually secure, please explain why we should not be worried. Maybe there is something about the `source()` function that prevents these attacks, but I did not find it in the documentation. I have asked this question on Stack Overflow as well.

security http source installation • 2.1k views
ADD COMMENT
0
Entering edit mode

I just updated my version of R and it now appears to be supporting HTTPS URLs for installing packages from CRAN. I tried using the source() bioconductor with HTTPS instead of HTTP and it worked. I recommend you all to update the documentation on the main page, as well as the biocLite() function, to improve security.

ADD REPLY
0
Entering edit mode

We will do this when https support is in an officially released version of R (which will be version 3.2.2 later this month).

Thanks.

ADD REPLY
2
Entering edit mode
Dan Tenenbaum ★ 8.2k
@dan-tenenbaum-4256
Last seen 6 months ago
United States

Base R does not support HTTPS out of the box (though I hear this may change soon), it's available through add-on packages such as RCurl.

If you want to install the current release of  Bioconductor (3.1) without using source(), do this:

install.packages("BiocInstaller",
    repos="http://bioconductor.org/packages/3.1/bioc") 
library(BiocInstaller) # the biocLite() command is now available

 

ADD COMMENT
0
Entering edit mode

Oops, the current release version of Bioconductor is 3.1. Edited message to reflect that.

ADD REPLY
0
Entering edit mode

Thanks! Would it make sense to provide this information on the installation page so that other users like myself who may not be savvy to security issues can avoid the MITM risk? It seems like the more secure method should be suggested as the default procedure.

ADD REPLY
0
Entering edit mode

The method suggested above does not avoid the MITM risk. It just avoids using source() which could potentially execute malicious code if there was a MITM. It does not prevent you from executing malicious code inside packages that you download since the MITM could substitute bad packages for good ones (and checksums would not help in this case).  It may be that install.packages() and friends (upon which biocLite() is based) will be updated to use HTTPS, hopefully before the next R release. 

ADD REPLY
0
Entering edit mode

OK, so it sounds like at this point there is no way to avoid the MITM risk until HTTPS is supported by base R. I guess I'll just keep using the default installation method and hope that HTTPS support comes soon.

ADD REPLY

Login before adding your answer.

Traffic: 457 users visited in the last hour
Help About
FAQ
Access RSS
API
Stats

Use of this site constitutes acceptance of our User Agreement and Privacy Policy.

Powered by the version 2.3.6