checkbox fails to verify ssl validity in data exchange with

Bug #625076 reported by dave b. on 2010-08-27
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Marc Tardif
checkbox (Ubuntu)
Marc Tardif
Marc Tardif

Bug Description

Binary package hint: checkbox

Checkbox collects personal and private system data and sends it to However, it fails to verify that the ssl certificate for is valid.

Here is the relevant code.
plugins/ uses HTTPTransport from checkbox/lib/, which uses
httplib.HTTPSConnection by default. This is not secure as per the documentation at

However, If the user is using a https proxy(really unlikely), then the code (connection = ProxyHTTPSConnection(host, port)) will use the ProxyHTTPSConnection connection which does ->

class ProxyHTTPSConnection(ProxyHTTPConnection):

    default_port = httplib.HTTPS_PORT

    def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None):
        ProxyHTTPConnection.__init__(self, host, port)
        self.key_file = key_file
        self.cert_file = cert_file

    def connect(self):
        self.sock = _ssl_wrap_socket(self.sock, self.key_file, self.cert_file)

So it would use _ssl_wrap_socket

which is defined at the top as

# Build the appropriate socket wrapper for ssl
    # Python 2.6 introduced a better ssl package
    import ssl
    _ssl_wrap_socket = ssl.wrap_socket
except ImportError:
    # Python versions prior to 2.6 don't have ssl and ssl.wrap_socket instead
    # they use httplib.FakeSocket
    def _ssl_wrap_socket(sock, key_file, cert_file):
        ssl_sock = socket.ssl(sock, key_file, cert_file)
        return httplib.FakeSocket(sock, ssl_sock)

However, as the code has connection = ProxyHTTPSConnection(host, port) --> when it is going to use the ProxyHTTPSConnection class, the certificate information will be None here and therefore this code (from what I see) will not make the data transfer between checkbox and secure via the https proxy.

You can test this out by editing /etc/hosts and pointing to another ip (which has an https server running) and viewing the data exchange in wireshark.

Related branches

dave b. (d+b) on 2010-08-27
security vulnerability: yes → no
visibility: private → public
security vulnerability: no → yes
Kees Cook (kees) on 2010-08-28
Changed in checkbox (Ubuntu):
milestone: none → ubuntu-10.10-beta
status: New → Confirmed
importance: Undecided → High
Steve Beattie (sbeattie) wrote :

Marc, can you look at this issue? Thanks.

Changed in checkbox (Ubuntu Maverick):
assignee: nobody → Marc Tardif (cr3)
Changed in checkbox (Ubuntu Maverick):
milestone: ubuntu-10.10-beta → ubuntu-10.10
Marc Tardif (cr3) wrote :

I have linked a branch to this bug which attempts to fix the problem and requested a merge proposal to be reviewed by Kees, just to make sure the problem is being addressed securely.

Changed in checkbox (Ubuntu Maverick):
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package checkbox - 0.10.3

checkbox (0.10.3) maverick; urgency=low

  New upstream release (LP: #638333):
  * Fixed verification of SSL validity (LP: #625076)
  * Improved audio test questions.
 -- Marc Tardif <email address hidden> Tue, 14 Sep 2010 12:43:51 -0400

Changed in checkbox (Ubuntu Maverick):
status: In Progress → Fix Released
dave b. (d+b) wrote :

You know what, this bug isn't fixed. You clearly didn't test it.
As per you are vulnerable. Test it your self using the test I put above again... all that is different is that now don't follow the redirect to a http:// location from what i can see.

So your application is still vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM checkbox.

Please test your patches before saying they fix things and EVEN better add a test to check it has been fixed.

Please let me know if I am wrong :)

dave b. (d+b) wrote :

XXX - - [29/Sep/2010:22:31:30 +1000] "POST HTTP/1.1" 404 4 "" "checkbox-gtk/0.9.1"
to my host for example ;)

Marc Deslauriers (mdeslaur) wrote :

Reopening bug as per last comment. Checkbox must also validate that the hostname matches the certificate. Please see example code in the following places:

Changed in checkbox (Ubuntu):
status: Fix Released → Confirmed
Changed in checkbox (Ubuntu Maverick):
status: Fix Released → Confirmed
Changed in checkbox (Ubuntu Maverick):
milestone: ubuntu-10.10 → maverick-updates
Jamie Strandboge (jdstrand) wrote :

@Marc Tardif, what is the status of this bug?

Ara Pulido (ara) wrote :

We will have a look to this one during next week sprint

Changed in checkbox:
assignee: nobody → Canonical Hardware Certification (canonical-hw-cert)
importance: Undecided → High
milestone: none → 0.12.5
status: New → Triaged
Ara Pulido (ara) on 2011-09-02
Changed in checkbox:
milestone: 0.12.5 → 0.12.6
Marc Tardif (cr3) on 2011-09-09
Changed in checkbox:
status: Triaged → In Progress
assignee: Canonical Hardware Certification (canonical-hw-cert) → Marc Tardif (cr3)
Marc Tardif (cr3) on 2011-09-14
Changed in checkbox:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package checkbox - 0.12.7

checkbox (0.12.7) oneiric; urgency=low

  New upstream release (LP: #850395):

  [Brendan Donegan]
  * Redirecting stderr to pipe to fix the gconf_resource script (LP: #832321)
  * Clear jobs directory when user selects No to recover question (LP: #836623)

  [Daniel Manrique]
  * checkbox/ Guard against bogus timeout values (LP: #827859)
  * More explicit handling of string decoding/encoding, avoids problems with
    non-ascii characters (LP: #833747)
  * Changed architecture from all to any for checkbox base, to build
    architecture-specific binaries (LP: #833696)

  [Jeff Lane]
  * Several corrections necessary due to test name changes or typos found in
    job files

  [Marc Tardif]
  * Connecting hyper text widgets only once (LP: #827904)
  * Detecting MMC readers as OTHER instead of DISK (LP: #822948)
  * Validating the hostname in the SSL certificate (LP: #625076)
  * Validating the submission.xml (LP: #838123)
 -- Daniel Manrique <email address hidden> Fri, 14 Sep 2011 17:15:26 -0400

Changed in checkbox (Ubuntu):
status: Confirmed → Fix Released
Marc Tardif (cr3) on 2011-09-15
Changed in checkbox:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see for currently supported Ubuntu

Please feel free to report any other bugs you may find.

Changed in checkbox (Ubuntu Maverick):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.