Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Beware: This, like all Internet voting schemes to date, is too insecure, and this is brittle software #1

Open
nealmcb opened this issue Aug 16, 2016 · 0 comments
Open

Beware: This, like all Internet voting schemes to date, is too insecure, and this is brittle software #1

nealmcb opened this issue Aug 16, 2016 · 0 comments

Comments

@nealmcb
Copy link

nealmcb commented Aug 16, 2016

The README for this project omits some critical information.

Most obviously, when used in the US District of Columbia Vote-ByMail (VBM) trial in 2010, this software was thoroughly compromised by a team from the University of Michigan. See
Attacking the Washington, D.C. Internet Voting System Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman

Even assuming that the specific bugs they identified may already be fixed, they note that the architecture of this software reveals a "brittle" approach to security, and the use of COTS code is also problematic since COTS developers commonly use a "penetrate and patch" methodology. Rather than carefully building in security defense-in-depth from the beginning, developers most often only react to demonstrations of "penetration", and apply "patches".

For example, besides the many many issues with the software and the deployment in DC noted by the Michigan paper, this software also relies on a flawed ballot marking approach. It requires users to mark their ballots via their own PDF software, and upload the PDFs to this software. It was quickly discovered that for users of Safari on the Mac, using the native built-in PDF support, the SAVE AS command saves the unmodified blank PDF of the user's ballot, instead of the modified version that contains the marks with the user's votes. This would likely disenfranchise some voters who would think they had voted just fine.

Also, allowing users to upload their own PDFs to the online server, which are then interpreted by the offline tabulator, also allows for attacks on that offline tabulator via cleverly-crafted PDF files.

It is also a usability problem, since many users will not have used a PDF form-filling application, and such applications often have other usability issues, such as not allowing a user to deselect a choice once a choice has been made.

I heartily applaud the developers and the DC BOEE for releasing the code as open source, and having a public trial to provide some chance that security flaws would be found. But the lessons learned should also be incorporated into the publicly posted repository!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nealmcb