Abstract
In many real-world deployments of online voting, Transport Layer Security (TLS) represents the primary (and in some cases only) line of defense against network based man-in-the-middle attacks that can steal voter credentials and modify ballot selections. In this paper we examine online voting in the context of TLS stripping attacks, which exploit the situation where a voter types or clicks a URL of the form example.com or http://example.com. Despite the widespread availability of effective protections, we present a study of voting-related websites finding the overwhelming majority are vulnerable to TLS stripping to some degree, with most offering no explicit protection at all.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More commonly known as SSL Stripping, it was originally named after the now-deprecated Secure Sockets Layer (SSL) protocol.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
US Office of Management and Budget. Memorandum M-15-13, 2015. https://https.cio.gov.
- 8.
- 9.
- 10.
- 11.
R. v. Sona, 2016 ONCA 452, Court of Appeals for Ontario, 2016. http://www.ontariocourts.ca/decisions/2016/2016ONCA0452.pdf.
- 12.
- 13.
References
Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 5–17. ACM (2015)
Alsharnouby, M., Alaca, F., Chiasson, S.: Why phishing still works: user strategies for combating phishing attacks. Int. J. Hum.-Comput. Stud. 82, 69–82 (2015)
Amrutkar, C., Traynor, P., Van Oorschot, P.C.: An empirical evaluation of security indicators in mobile web browsers. IEEE Trans. Mob. Comput. 14(5), 889–903 (2015)
Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 511-525. IEEE (2013)
Culnane, C., Eldridge, M., Essex, A., Teague, V.: Trust implications of DDoS protection in online elections. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 127–145. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68687-5_8
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)
Dorey, K., Chang-Fong, N., Essex, A.: Indiscreet logs: Diffie-Hellman backdoors in TLS. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)
Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)
Dzieduszycka-Suinat, S., et al.: The future of voting: end-to-end verifiable internet voting - specification and feasibility study. US Vote Foundation (2015)
Essex, A.: Detecting the detectable: unintended consequences of cryptographic election verification. IEEE Secur. Priv. 15(3), 30–38 (2017)
Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, more POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_8
Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22270-7_3
Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), RFC 6797 (2012)
Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: NDSS (2015)
Marlinspike, M.: More tricks for defeating SSL in practice. Black Hat USA (2009)
Moher, E., Clark, J., Essex, A.: Diffusion of voter responsibility: potential failings in E2E voter receipt checking. USENIX J. Election Syst. Technol. (2015)
Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1631–1648. ACM (2017)
Rescorla, E.: The transport layer security (TLS) protocol version 1.2, RFC 5246 (2008)
Rescorla, E.: The transport layer security (TLS) protocol version 1.3 (draft 28) (2018)
Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS). RFC 7457 (2015)
Springall, D., et al.: Security analysis of the Estonian internet voting system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 703–715. ACM (2014)
Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman (eprint). In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)
Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., Heninger, N.: Factoring as a service. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 321–338. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_19
Western Australian Electoral Commission: 2017 State General Election Election Report (2017)
Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_28
Acknowledgements
Thanks to Ben Adida, Kirsten Dorey, Lucas Garron and the anonymous reviewers.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Cardillo, A., Essex, A. (2018). The Threat of SSL/TLS Stripping to Online Voting. In: Krimmer, R., et al. Electronic Voting. E-Vote-ID 2018. Lecture Notes in Computer Science(), vol 11143. Springer, Cham. https://doi.org/10.1007/978-3-030-00419-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-00419-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00418-7
Online ISBN: 978-3-030-00419-4
eBook Packages: Computer ScienceComputer Science (R0)