Security questions remain for online voting initiative (Letter to the Editor)

By  | February 11, 2017 | 2 Comments | Filed under: uncategorized

By  | October 6, 2014 13 Comments | Filed under: 2014 Municipal Election

Cambridge Times

CAMBRIDGE– A recent article by Bill Jackson summarized city clerk Michael Di Lullo’s talking points on securing the upcoming municipal election here in Cambridge.

He was asked as to whether the new voting options could increase the potential for voter fraud, and his answers seemed to satisfy those in attendance at the public information session.

To security experts though, these answers seemed more like smoke and mirrors or “nothing to see here, move along.”

The addition of two-factor authentication can go a long way to boost the robustness of any identification system. The problem with the City of Cambridge’s implementation is that the secondary factor is your birth date.

Today’s society is more than happy to leave such information on social networks, so one would have to question why this was chosen as a secondary factor for authentication.

Di Lullo also explained that during this two-step process, their system will email the user a username and password which they can use to authenticate to the actual voting process. This tells us two things.

Firstly, Di Lullo believes that email is a trusted transport protocol. It isn’t.

In fact, SMTP (the email protocol) has zero implementations that include securing the content. You can wrap the whole thing in an SSL connection but that only secures the data during transit and is stripped at the destination.

Secondly, if the system can send me my password, it is either storing this information in plain text or is encrypting it using a key stored on the server itself. Either way, these are really bad security practices as a compromised server leads to comprisable data.

Passwords should always be stored using an irreversible cryptographic hash function so that only the user ever knows what it is.

Additionally, Di Lullo explains that their system will feature “cryptographic network protocols”. Sounds a lot like SSL, though one would assume it was phrased that way because of all of the negative news regarding SSL lately.

Make no mistake though, SSL is still the standard method of encrypting web traffic, but it is far from bulletproof. Add to that, SSL protects traffic to-and-from the web server. Once data reaches the server, the encryption is stripped away leaving the data to the application layer.

If the server is compromised, so is everything coming and going, therefore no need to break the encryption keys.

SSL does not make a website secure, it prevents MITM (man-in-the-middle) attacks. MITM attacks are only a small percentage of types of attacks a system can be subjected to.

Di Lullo goes on to explain that, “Data is encrypted, meaning it’s difficult to hack.”

It sure is, but one slip up on any part of the website code, the hosting environment, or any of the other hundreds of parts would negate the need to hack the encryption.

For example, one could compromise the web server to obtain the code that sends the username/password to the user. This code would obviously contain the encryption method and key, which can then be used to decrypt the rest of the data on the server.

Remember, SSL = transport layer.

Although the city clerk addressed the question, he didn’t address the website security at a level that would satisfy any security expert. The items he did bring up seem to be buzz-words that he may not even fully grasp since he uses them out of context, leaving the democratic voting mechanism at a loss of trust.

There are several other layers of security that weren’t addressed.

For example, who is hosting the website? Who is securing the hosting environment?

Who is hardening the servers OS and what methodology are they using?

Who has reviewed the website code for vulnerabilities?

How is the data being stored and is the data being stored on a publicly available IP address?

Who is monitoring the system in real time and what are they using for IDS?

What logging is in place and how extensive is it from a forensic standpoint?

Who is responsible for physical security of the website and database?

How many people have access to the physical parts and what access do they have?

Are the servers hosted in a fully PIPEDA compliant environment, with PCI-DSS level compliance in place as well (even though credit cards aren’t being stored, a democratic mechanism should be as compliant as a payment processor at least. Have these systems been subjected to a third party penetration test?

Could the Internet ever be a trusted platform for the democratic process? Doubtful.

Governments with billions invested in security can’t stop leaks, what makes you think the City of Cambridge could?

Kevin Creechan,



Editor’s note: RawInfoSec is a Cambridge-based technology auditing and consulting firm.



2 Responses to Security questions remain for online voting initiative (Letter to the Editor)

    Maggie Smith February 13, 2017 at 9:17 am

    Great article – truthful – but will our Mayor/Council rectify this crooked set up of voting – not likely.
    People – push for Ranked voting – don’t let London or another City beat us to it. Let’s be a leader here in Cambridge.
    Pass on the word – make it be heard – Ranked voting.
    Let’s show Trudeau the liar he is by going back on his word also. I guess both he & Craig are afraid of some honest voting numbers.
    Ranked voting………

    Tom Vann February 13, 2017 at 5:19 pm

    There is no man more dangerous or dastardly than a politician that wants to stay in power.

Leave a Reply

Your email address will not be published. Required fields are marked *