Thankyou Mr Jefferson for your comments.
As I said, I was in two minds about the timing of Ms
Teague’s and Mr Halderman’s report.
I am not a person who advocates for 100% internet voting in
parliamentary elections, but I do advocate for it to be implemented for use by
those who would otherwise not be able to cast a secret or independent vote, or
not be able to cast a vote at all due to the remoteness of their location.
However I do believe that in time internet voting will be
demanded by our technology savvy youth and I also believe at that point in time
internet voting will be developed to a level where the security, transparency
and independent scrutiny will be agreeable to all.
In the meantime, healthy dialogue such as this is an
important part of the tensions that are needed to reach a suitable and safe
outcome as it provides the ongoing pressure for providers, academics, critics
and electoral administrators to continuously improve the processes.
Indeed I am sure that NSW state election shall give all of
the above cause to think about their future implementations.
However, I am still of the view that the timing and wide
circulation of Ms Teague’s and Mr Halderman’s report was poor form and lacked judgement.
Following my blog, I was subsequently amazed to find from
the NSWEC press release that where I had assumed that Teague and Halderman
would have advised the NSWEC of their findings, incredibly, they had not. Instead they had advised CERT Australia and
local media outlets. It seems that the
release of the report was also timed for a series of seminars that Teague and
Halderman were presenting. So this is
why I sense that perhaps although Teague and Halderman may be working for
altruistic purposes, a path of greater integrity and in the greater public
interest, would have been to advise the NSWEC directly so that together they
could apply the solution and discuss a way forward that would not have caused
so much anxiousness in the cohort of voters as described above.
As for the seriousness of the potential vulnerability. As I
understand it, not one voter has reported that their vote has been recorded
wrongly through the verification process.
To address the vulnerability issue. Teague and Halderman say it is due to the
FREAK flaw via piwik
In order to exploit this flaw:-
1. The attacker has to be able to intercept the traffic.
2. The SSL could be downgraded via FREAK attack, but would
still need to be broken.
3. The client’s browser would also have to be vulnerable.
4. The encryption would then have to broken and each vote
changed.
This third point is most important.
Because the FREAK attack was identified in March 2015,
most browsers have been patched or are at different patch levels. You can test
if your browser is vulnerable to FREAK by using this tool. FREAK Client Test Tool. I doubt
very much if there would be many browsers left unpatched.
Most importantly this type of attack is on the client and
not the iVote server.
Your argument Mr Jefferson is "..It allows the attacker
to poison the NSWEC server with malicious Javascript that is in turn served to
every voter thereafter.. "
Your argument is simply wrong.
I am advised that FREAK vulnerabilities in pen testing are
regarded as low risk. I know quote from
https://www.entrust.com/is-your-ssl-server-vulnerable-to-a-freak-attack/
….How bad
is the FREAK vulnerability? Ivan Ristić states the following, “In practice, I
don’t think this is a terribly big issue, but only because you have to have
many “ducks in a row”: 1) find a vulnerable server that offers export cipher
suites; 2) it should reuse a key for a long time; 3) break key; 4) find
vulnerable client; 5) attack via MITM (easy to do on a local network or wifi;
not so easy otherwise).” …..
I am not a rabid supporter of electronic voting, nor am I a
rabid naysayer of electronic voting. I believe
electronic voting has its place in the current electoral climate.
A few years ago I conducted a 3 day electronic voting
workshop which brought together academics from Australia and the UK and electoral
administrators from Australia and New Zealand.
One of the goals of the workshop was to give each of these groups a
greater understanding of each other’s needs.
Networks were formed and a greater appreciation of each other’s roles were
understood. Ms Teague attended this workshop. So I am disappointed that in
light of her awareness as to the processes of elections, their conduct and
review that she has chosen to go public with a low risk vulnerability before
contacting the electoral administrators – at the very least, to show a professional
courtesy.
Below are Mr Jefferson's comments
ReplyDeleteDavid Jefferson
Ms. Birkenhead, I believe you are mischaracterizing the vulnerability in the NSW voting system that Dr. Teague and Prof. Halderman discovered. You wrote:
“When reading arguments against electronic voting, it is usually along the lines that instead of one paper vote being tampered, or one ballot box being stuffed, that instead a whole database of votes can be changed. But it appears that this is not the hack that Ms Teague found in the NSW system.”
But an attack such as they found can silently and undetectably change every vote cast after the attack. It is indeed an attack on the “whole database” of votes.
You quote Dr. Teague saying “The analogy would be pulling someone's postal vote envelope out of the post, pulling out their vote and finding out how they intended to vote and then putting a different ballot in instead”. Apparently you interpret that to mean that the attack affects only one vote because you respond
“So this finding was not a flaw that could change a whole database of votes.”
But Dr. Teague is saying exactly that. This kind of attack is automated, and can be perpetrated by anyone in the world, remotely. It allows the attacker to poison the NSWEC server with malicious Javascript that is in turn served to every voter thereafter, modifying their ballots in their own computers just before they are encrypted for transmission back to the NSWEC. Teague’s and Halderman’s preliminary report can be found at
https://freedom-to-tinker.com/blog/teaguehalderman/ivote-vulnerability
You quote Mr. Brightwell, Chief Information Officer of NSWEC, as saying “It’s easy enough to [test the attack] if you sit in a local area network and direct yourself to an internal proxy, but in practical terms to intercept the traffic en masse you’d have to somehow sit in between that particular server and the client’s voting”. All I can say is that either Mr. Brightwell does not himself understand the severity of the vulnerability, or he is deliberately putting a PR spin on the NSWEC public position.
When you write that “I am sure that the NSWEC were grateful of the information from Ms. Teague” I have to laugh. The NSWEC has not issued any kind of public thanks for Teague’s and Halderman’s service. On the contrary, it have tried to undermine their credibility publicly by noting that they are on the Advisory Board of Verified Voting, an organization that opposes Internet voting. That is true enough, but how does it detract in any way from their discovery of an exceedingly dangerous security flaw in the iVote system? The NSWEC is just trying to shoot the messengers.
Your major complaint seems to be that the security experts made their report public while the election is still in progress. You would prefer they waited until the election is over and certified. I can see how that would serve the PR interests of the vendor (Scytl) and of the NSWEC. But it does not serve the interest of the public, which might wish to press for suspending use of the iVote system in this election, nor of individual voters, who would still have time to choose a more secure means of voting, nor of parties and candidates who might have reason to challenge the results and would need timely evidence.
Besides this severe security flaw, there are many other things wrong with the iVote system. It has a terrible human interface, and the verification process is also severely flawed. And this is in addition to the disastrous error in which several parties were left entirely off the ballot, demonstrating that this election was started without adequate proofreading and testing.
I believe the NSW should suspend use of the iVote system in this election and insist that Scytl submit it, with source code, for thorough investigation by independent third party security experts including Drs. Teague and Halderman. And if Scytl refuses, NSWEC should scrap the iVote system entirely and permanently.