October 9, 2015


Security flaw in New South Wales puts thousands of online votes at risk

Update April 26: The technical paper is now available

Update Mar. 23 1:30 PM AEDT: Our response to the NSWEC’s response

New South Wales, Australia, is holding state elections this month, and they’re offering a new Internet voting system developed by e-voting vendor Scytl and the NSW Electoral Commission. The iVote system, which its creators describe as private, secure and verifiable, is predicted to see record turnout for online voting. Voting has been happening for six days, and already iVote has received more than 66,000 votes. Up to a quarter million voters (about 5% of the total) are expected to use the system by the time voting closes next Saturday.

Since we’ve both done extensive research on the design and analysis of Internet voting systems, we decided to perform an independent security review of iVote. We’ll prepare a more extensive technical report after the election, but we’re writing today to share news about critical vulnerabilities we found that have put tens of thousands of votes at risk. We discovered a major security hole allowing a man-in-the middle attacker to read and manipulate votes. We also believe there are ways to circumvent the verification mechanism.

[Read more…]


Heartsick about Heartbleed

Ed Felten provides good advice on this blog about what to do in the wake of Heartbleed, and I’ve read some good technical discussions of the technical problem (see this for a particularly understandable explanation).

Update Apr 11: To understand what Heartbleed is all about, see XKCD. Best. Explanation. Ever.

In this brief posting, I want to look at a different angle – what’s the scope of the vulnerability? [Read more…]