Good advice for security with R

[This article was first published on Revolutions, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Everyone needs to be vigilant about security on the Web today. One particular threat — the man-in-the-middle attack — is a risk anytime you are communicating over the Internet, and an attacker has access to the network between the two endpoints. This is a possibility whenever you are using the Web over an unencrypted channel, or when using an unsecured Wi-Fi access point (to name just two examples). The attacker could eavesdrop on your communications, or even alter or substitute your data.

This is a possible vector for inserting malware on your machine: if you download a program to your computer over an unsecured channel, an attacker could substitute that program with one that includes a malicious payload. When downloading software over the web, it's always a good idea to make sure you're using an encrypted connection, from a website URL beginning with https:// (and not just http).

This applies to all software you download over the internet, and R is no exception. R packages should also be treated in the same manner, since packages also include executable code. To this end, the R Consortium has published a useful guide regarding best practices for using R securely. In short, you should always download R from a secure server, verify the MD5 checksums, and download R packages from a secure server.

Fortunately, many CRAN mirrors (including the master CRAN mirror, the Revolution Analytics mirror, and the RStudio mirror) support HTTPS today, and have defaulted to HTTPS downloads since before the release of R 3.2.2. Furthermore, R 3.2.2 supports package downloads using HTTPS, so if you downloaded R 3.2.2 (or later) from a secure mirror and are using that secure mirror as your default CRAN repository for packages, you're already protecting yourself from a man-in-the-middle attack. If you're using an earlier version of R, it's easy to configure it for HTTPS by using the steps in the R Consortium guide.

Revolution R Open 3.2.1 is also secure by default: MRAN defaults to HTTPS, and the default CRAN snapshot is also a secure (HTTPS-enabled) repository on MRAN. If you're using an earlier version of Revolution R Open, you should similarly follow the steps in the R Consortium guide for the corresponding version of R. And if you're using Revolution R Enterprise, we've provided simple steps to configure Revolution R Enterprise 7.4.1 for secure package downloads.

These are simple steps everyone should take. And remember: anytime you're downloading software from the Internet, make sure it's via https://.

R Consortium: Best Practices for Using R Securely

To leave a comment for the author, please follow the link and comment on their blog: Revolutions. offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)