*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: checkbox Checkbox collects personal and private system data and sends it to launchpad.net. However, it fails to verify that the ssl certificate for launchpad.net is valid. Here is the relevant code. plugins/launchpad_exchange.py uses HTTPTransport from checkbox/lib/transport.py, which uses httplib.HTTPSConnection by default. This is not secure as per the documentation at http://docs.python.org/library/httplib.html#httplib.HTTPSConnection However, If the user is using a https proxy(really unlikely), then the code (connection = ProxyHTTPSConnection(host, port)) will use the ProxyHTTPSConnection connection which does -> class ProxyHTTPSConnection(ProxyHTTPConnection): default_port = httplib.HTTPS_PORT def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None): ProxyHTTPConnection.__init__(self, host, port) self.key_file = key_file self.cert_file = cert_file def connect(self): ProxyHTTPConnection.connect(self) self.sock = _ssl_wrap_socket(self.sock, self.key_file, self.cert_file) So it would use _ssl_wrap_socket which is defined at the top as # Build the appropriate socket wrapper for ssl try: # Python 2.6 introduced a better ssl package import ssl _ssl_wrap_socket = ssl.wrap_socket except ImportError: # Python versions prior to 2.6 don't have ssl and ssl.wrap_socket instead # they use httplib.FakeSocket def _ssl_wrap_socket(sock, key_file, cert_file): ssl_sock = socket.ssl(sock, key_file, cert_file) return httplib.FakeSocket(sock, ssl_sock) However, as the code has connection = ProxyHTTPSConnection(host, port) --> when it is going to use the ProxyHTTPSConnection class, the certificate information will be None here and therefore this code (from what I see) will not make the data transfer between checkbox and launchpad.net secure via the https proxy. You can test this out by editing /etc/hosts and pointing launchpad.net to another ip (which has an https server running) and viewing the data exchange in wireshark. ** Affects: checkbox (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability ** This bug has been flagged as a security vulnerability -- checkbox fails to verify ssl validity in data exchange with launchpad.net https://bugs.launchpad.net/bugs/625076 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
