There are many R packages that connect to the internet, whether it's to import data (readr), install packages from Github (devtools), connect with cloud services (AzureML), or many other web-connected tasks. There's one R package in particular that provides the underlying connection between R and the Web: curl, by Jeroen Ooms, who is also the new maintainer for R for Windows. (The name comes from curl, a command-line utility and interface library for connecting to web-based services). The curl package provides replacements for the standard url
and download.file
functions in R with support for encryption, and the package was recently updated to enhance its security, particularly on Windows.
To implement secure communications, the curl package needs to connect with a library that handles the SSL (secure socket layer) encryption. On Linux and Macs, curl has always used the OpenSSL library, which is included on those systems. Windows doesn't have this library (at least, outside of the Subsystem for Linux), so on Windows the curl package included the OpenSSL library and associated certificate. This raises its own set of issues (see the post linked below for details), so version 3.0 of the package instead uses the built-in winSSL library. This means curl uses the same security architecture as other connected applications on Windows.
This shouldn't have any impact on your web-connectivity from R now or in the future, except the knowledge that the underlying architecture is more secure. Nonetheless, it's possible to switch back to OpenSSL-based encryption (and this remains the default on Windows 7, which does not include the winSSL).
Version 3.0 of the curl package is available now on CRAN (though you'll likely never need to load it explicitly — packages that use it do that for you automatically). You can learn more about the changes at the link below. If you'd like to know more about what the cur packahe can do, this vignette is a great place to start. Many thanks to Jeroen Ooms for this package.
It seems from the linked article that it is versions *before* Windows 7 that will fall back on OpenSSL, not versions up to and including.
Posted by: Mark Adamson | November 14, 2017 at 14:36