Category

Blog

Best Practices for Using R Securely

By Blog

The R Consortium was formed to serve the interests of the R user community, and to that end the members of the R Consortium would like to share some best practices for using R securely and safely. These recommendations are not unique to R: you should follow similar practices for any software you download from the Internet.

If you download R (or R packages) using an unencrypted Internet connection, there is a possibility that a malicious actor could modify the code in transit (or substitute their own file), if they have access to the connection linking you and the CRAN server delivering the code. (This is possible, for example, when you download R using an unsecured Wi-Fi network.) This could potentially give an attacker the same rights you have to execute code on your system.

To eliminate the possibility of such an attack, the R Consortium recommends all R users to always download R and R packages using an encrypted HTTPS connection from a secure server. This document describes steps you can take to configure your existing or new R installations to adhere to best practices for secure R use.

1. Always download R installers from a CRAN server using HTTPS

Every time you download R, make sure you are connected to the download site using a secure HTTPS connection. Check that the URL of the web page you are using to download R begins with “https://” (not “http://”) and that your browser reports the site to be secure. (Here are some ways you can check: http://info.ssl.com/article.aspx?id=10068.)

If you are downloading R from CRAN, the following CRAN mirrors support HTTPS and we recommend using one of them:

The above list is complete as of August 12, 2015. Check the list of CRAN Mirrors for other HTTPS mirrors added since then.

2. Check the MD5 checksums of R before you begin the installation.

When you download R, the same webpage should also provide the “md5 checksum” for the installation. (It will be a long string of letters and digits. Here’s an example — but remember, it will be different for every version of R: 9578948a99ee6b74ff10b71b0891b94c.) After you download the file to install R, you should generate another md5 checksum for the file you downloaded, and make sure it matches the checksum provided on the download site. (Here are instructions for doing so on WindowsLinux, and Mac OS X). If the checksums do not match, do not install R using that file.

3. Configure R for secure file downloads

When downloading files over the Internet (including R packages), R must be configured such that a secure, HTTPS-enabled web server may be used.  To configure R appropriately, add code to your .Rprofile or Rprofile.site file. The instructions vary depending on the version of R and operating system you use. Note that this is the default configuration for R 3.2.2, so you do not need to take any action for R 3.2.2 or any later version of R.

R 3.2.0 and R 3.2.1

Windows:

options(download.file.method = “wininet”)

OS X and Linux:

options(download.file.method = “libcurl”)

R 3.1 and earlier

Windows:

utils::setInternet2(TRUE)

options(download.file.method = “internal”)

OS X:

options(download.file.method = “curl”)

Linux:

options(download.file.method = “wget”)

4. Always download CRAN packages from a secure mirror

The same cautions apply to R packages. Always make sure you are using a CRAN mirror that supports HTTPS, such as one from the list given in point 1 above.

To configure R to automatically use a secure mirror, add the following code to your .Rprofile or Rprofile.site file, using the mirror of your choice (beginning with “https://”) in the first line.

securemirror <- “https://cran.r-project.org/

local({

r <- getOption(“repos”);

r[“CRAN”] <- securemirror

options(repos=r)

})

Note that you do not need to check md5 sums for packages: R automatically checks md5 checksums before it installs any package.

Summary

With these simple steps, you can eliminate one vector of attack for a malicious actor who can intercept your communications. The R Consortium recommends all R users follow this practice.

The R Consortium Begins its Mission

By Blog

Since the announcement of the R Consortium on June 30, the members of the Consortium have begun the mission of supporting the R project and the vast community of R users around the world. The first task was to appoint members of the Board of the R Consortium, and to that end we are pleased to announce the following board members:

JJ Allaire, RStudio

Louis Bajuk-Yorgan, Tibco

John Chambers, R Foundation

Richard Pugh, Mango Solutions

David Smith, Microsoft
We are also pleased to announce that Richard Pugh has been elected as President of the R Consortium board.

The next step is to form the Infrastructure Steering Committee, which will then select and oversee the various projects undertaken by the R Consortium on behalf of its members and the R Community. The R Consortium Board welcomes suggestions from the R Community of suitable projects pursue. We will publish a formal process for proposals soon, but in the meantime we welcome suggestions from anyone to info@r-consortium.org.