The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community

Glimmers: Resolving the Privacy/Trust Quagmire

Many successful services rely on trustworthy contributions from users. To establish that trust, such services often require access to privacy-sensitive information from users, thus creating a conflict between privacy and trust. Although it is likely impractical to expect both absolute privacy and trustworthiness at the same time, we argue that the current state of things, where individual privacy is usually sacrificed at the altar of trustworthy services, can be improved with a pragmatic $Glimmer$ $of$ $Trust$, which allows services to validate user contributions in a trustworthy way without forfeiting user privacy. We describe how trustworthy hardware such as Intel's SGX can be used client-side -- in contrast to much recent work exploring SGX in cloud services -- to realize the Glimmer architecture, and demonstrate how this realization is able to resolve the tension between privacy and trust in a variety of cases

What did I really vote for? On the usability of verifiable e-voting schemes

E-voting has been embraced by a number of countries, delivering benefits in terms of efficiency and accessibility. End-to-end verifiable e-voting schemes facilitate verification of the integrity of individual votes during the election process. In particular, methods for cast-as-intended verification enable voters to confirm that their cast votes have not been manipulated by the voting client. A well-known technique for effecting cast-as-intended verification is the Benaloh Challenge. The usability of this challenge is crucial because voters have to be actively engaged in the verification process. In this paper, we report on a usability evaluation of three different approaches of the Benaloh Challenge in the remote e-voting context. We performed a comparative user study with 95 participants. We conclude with a recommendation for which approaches should be provided to afford verification in real-world elections and suggest usability improvements

Practical Attacks on Cryptographically End-to-end Verifiable Internet Voting Systems

Cryptographic end-to-end verifiable voting technologies concern themselves with the provision of a more trustworthy, transparent, and robust elections. To provide voting systems with more transparency and accountability throughout the process while preserving privacy which allows voters to express their true intent. Helios Voting is one of these systems---an online platform where anyone can easily host their own cryptographically end-to-end verifiable election, aiming to bring verifiable voting to the masses. Helios does this by providing explicit cryptographic checks that an election was counted correctly, checks that any member of the public can independently verify. All of this while still protecting one of the essential properties of open democracy, voter privacy. In spite of these cryptographic checks and the strong mathematical assertions of correctness they provide, this thesis discusses the discovery and exploit of three vulnerabilities. The first is the insufficient validation of cryptographic elements in Helios ballots uploaded by users. This allows a disgruntled voter to cast a carefully crafted ballot which will prevent an election from being tallied. The second vulnerability is the insufficient validation of cryptographic parameters used in ElGamal by an election official. This leads to an attack where the election official can upload weak parameters allowing the official to cast arbitrary votes in a single ballot. The final attack is a cross-site scripting attack that would allow anyone to steal or re-cast ballots on behalf of victims. We coordinated disclosure with the Helios developers and provided fixes for all the vulnerabilities outlined in the thesis. Additionally, this thesis adds to the body of work highlighting the fragility of internet voting applications and discusses the unique challenges faced by internet voting applications

Proof of the possibility for a public audit of a secret internet voting system

The aim of this study is to prove the possibility of building a system of secret Internet voting, in which a full-fledged audit is available to all voters and their proxies. A full-fledged audit should be understood as such an audit, in which everything that may be in doubt is checked. The open block of servers was created using Raspberry Pi 3 Model B type minicomputers, which are widely known and well-established. On the basis of an open block of servers, a full-scale model of the system for conducting experimental voting was created and a detailed methodology for a full-fledged audit was developed. This methodology provides for two stages of the audit. In the first stage, voters or their proxies must be present near the server unit. In the second stage, they continue the audit remotely through a dedicated server without losing information about the security of their data. For practical acquaintance with this research, the possibility of experimental voting is given. The experiment can be conducted by anyone at any time through a link on the Internet. Thus, it is shown that not only with traditional secret voting technologies, a full-fledged audit is possible, thanks to which voters have no doubts about maintaining the secrecy of their votes and the honesty of the results. To conduct a full-fledged audit according to the described methodology, it is not require to involve highly qualified specialists, but school education, which is mandatory in many countries, is quite enough. The importance of the results is that the lack of a full-fledged audit of Internet voting systems is the main factor hindering the development of e-democracy. The lack of public auditing of Internet voting systems causes distrust in the possibility of using the Internet to conduct fair election

ONLINE WEB BALLOT APPLICATION

Includes bibliographical references (page 21).The goal of this project is to implement the server side of a web ballot application.\ud With the use of remote voting, voters can cast their ballots from any location. Voters can also vote using Internet-connected computers or hand-held devices. This will be very convenient for the voters (allowing people to vote from their home or other places where they can access the Internet). In this system, the other users can see and analyze the votes cast by different users to different surveys and also cast their own votes on those topics. The users can also get comments from the other users on that topic. And, in this way they can interact with each other. Every survey will have some options and the users have to vote on them. The responses of the users will be stored in the backend. Apparently, a database is called a backend because you cannot see and interact with it directly. The user can only interact with the front end which is an HTML page on the web browser like Safari, Google Chrome or Internet Explorer.\ud The user???s responses will be stored in the database for as long as the database is\ud cleaned by the database administrator after a certain period of time about 2 years.\ud A database is an organized set of data stored in a computer, and it can be accessible via\ud programming languages such as SQL [1]

YeaNay: An Open Source Tool to Rate the Votes of Members of the United States House of Representatives and Senate

Government transparency is typically regarded as the most viable way to strengthen its accountability to the public (Shkabatur, 2012). Even on the international stage, the right to access government information is regarded as fundamental to democracy (Bertot, Jaeger, & Grimes, 2011). In order to improve transparency, the US government made data, like bills and votes, available online (Brito, 2008b). One popular way to organize the data available to the public is through the creation of voter guides. The method an organization used for developing a voter guide was analyzed for this project. In response to the method, a web application (YeaNay) was developed to take the largely manual process and make a highly automated solution. YeaNay utilizes HTML, CSS, and JavaScript to build the user interface and ColdFusion and PL/SQL to query the data necessary for the development of a voter guide. The data are queried either from the database or from Congress API v3 (provided by the Sunlight Foundation). One user, with minimal training, is able to use YeaNay to find and score legislation within minutes for use in a voter guide. YeaNay focuses the firehose of congressional information that is now available and presents it in a manageable and usable environment