Advertisement

The Threat of SSL/TLS Stripping to Online Voting

  • Anthony Cardillo
  • Aleksander EssexEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11143)

Abstract

In many real-world deployments of online voting, Transport Layer Security (TLS) represents the primary (and in some cases only) line of defense against network based man-in-the-middle attacks that can steal voter credentials and modify ballot selections. In this paper we examine online voting in the context of TLS stripping attacks, which exploit the situation where a voter types or clicks a URL of the form example.com or http://example.com. Despite the widespread availability of effective protections, we present a study of voting-related websites finding the overwhelming majority are vulnerable to TLS stripping to some degree, with most offering no explicit protection at all.

Notes

Acknowledgements

Thanks to Ben Adida, Kirsten Dorey, Lucas Garron and the anonymous reviewers.

References

  1. 1.
    Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 5–17. ACM (2015)Google Scholar
  2. 2.
    Alsharnouby, M., Alaca, F., Chiasson, S.: Why phishing still works: user strategies for combating phishing attacks. Int. J. Hum.-Comput. Stud. 82, 69–82 (2015)CrossRefGoogle Scholar
  3. 3.
    Amrutkar, C., Traynor, P., Van Oorschot, P.C.: An empirical evaluation of security indicators in mobile web browsers. IEEE Trans. Mob. Comput. 14(5), 889–903 (2015)CrossRefGoogle Scholar
  4. 4.
    Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 511-525. IEEE (2013)Google Scholar
  5. 5.
    Culnane, C., Eldridge, M., Essex, A., Teague, V.: Trust implications of DDoS protection in online elections. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 127–145. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-68687-5_8CrossRefGoogle Scholar
  6. 6.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)Google Scholar
  7. 7.
    Dorey, K., Chang-Fong, N., Essex, A.: Indiscreet logs: Diffie-Hellman backdoors in TLS. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)Google Scholar
  8. 8.
    Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)Google Scholar
  9. 9.
    Dzieduszycka-Suinat, S., et al.: The future of voting: end-to-end verifiable internet voting - specification and feasibility study. US Vote Foundation (2015)Google Scholar
  10. 10.
    Essex, A.: Detecting the detectable: unintended consequences of cryptographic election verification. IEEE Secur. Priv. 15(3), 30–38 (2017)CrossRefGoogle Scholar
  11. 11.
    Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, more POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-30806-7_8CrossRefGoogle Scholar
  12. 12.
    Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22270-7_3CrossRefGoogle Scholar
  13. 13.
    Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), RFC 6797 (2012)Google Scholar
  14. 14.
    Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: NDSS (2015)Google Scholar
  15. 15.
    Marlinspike, M.: More tricks for defeating SSL in practice. Black Hat USA (2009)Google Scholar
  16. 16.
    Moher, E., Clark, J., Essex, A.: Diffusion of voter responsibility: potential failings in E2E voter receipt checking. USENIX J. Election Syst. Technol. (2015)Google Scholar
  17. 17.
    Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1631–1648. ACM (2017)Google Scholar
  18. 18.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.2, RFC 5246 (2008)Google Scholar
  19. 19.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3 (draft 28) (2018)Google Scholar
  20. 20.
    Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS). RFC 7457 (2015)Google Scholar
  21. 21.
    Springall, D., et al.: Security analysis of the Estonian internet voting system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 703–715. ACM (2014)Google Scholar
  22. 22.
    Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman (eprint). In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)Google Scholar
  23. 23.
    Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., Heninger, N.: Factoring as a service. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 321–338. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54970-4_19CrossRefGoogle Scholar
  24. 24.
    Western Australian Electoral Commission: 2017 State General Election Election Report (2017)Google Scholar
  25. 25.
    Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38980-1_28CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Electrical and Computer EngineeringWestern UniversityLondonCanada

Personalised recommendations