Skip to main content
SpringerLink
Log in

The Threat of SSL/TLS Stripping to Online Voting

  • Conference paper
  • First Online:
Electronic Voting (E-Vote-ID 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11143))

Included in the following conference series:

Abstract

In many real-world deployments of online voting, Transport Layer Security (TLS) represents the primary (and in some cases only) line of defense against network based man-in-the-middle attacks that can steal voter credentials and modify ballot selections. In this paper we examine online voting in the context of TLS stripping attacks, which exploit the situation where a voter types or clicks a URL of the form example.com or http://example.com. Despite the widespread availability of effective protections, we present a study of voting-related websites finding the overwhelming majority are vulnerable to TLS stripping to some degree, with most offering no explicit protection at all.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    More commonly known as SSL Stripping, it was originally named after the now-deprecated Secure Sockets Layer (SSL) protocol.

  2. 2.

    https://www.dhs.gov/government-facilities-sector.

  3. 3.

    https://ivote.nsw.gov.au.

  4. 4.

    https://valimised.ee.

  5. 5.

    https://www.id.ee.

  6. 6.

    https://www.ssllabs.com/ssl-pulse.

  7. 7.

    US Office of Management and Budget. Memorandum M-15-13, 2015. https://https.cio.gov.

  8. 8.

    https://www.chromium.org/hsts.

  9. 9.

    https://hstspreload.org.

  10. 10.

    https://ssllabs.com/ssltest.

  11. 11.

    R. v. Sona, 2016 ONCA 452, Court of Appeals for Ontario, 2016. http://www.ontariocourts.ca/decisions/2016/2016ONCA0452.pdf.

  12. 12.

    https://ncsl.org.

  13. 13.

    https://registertovoteflorida.gov.

References

  1. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 5–17. ACM (2015)

    Google Scholar 

  2. Alsharnouby, M., Alaca, F., Chiasson, S.: Why phishing still works: user strategies for combating phishing attacks. Int. J. Hum.-Comput. Stud. 82, 69–82 (2015)

    Article  Google Scholar 

  3. Amrutkar, C., Traynor, P., Van Oorschot, P.C.: An empirical evaluation of security indicators in mobile web browsers. IEEE Trans. Mob. Comput. 14(5), 889–903 (2015)

    Article  Google Scholar 

  4. Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 511-525. IEEE (2013)

    Google Scholar 

  5. Culnane, C., Eldridge, M., Essex, A., Teague, V.: Trust implications of DDoS protection in online elections. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 127–145. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68687-5_8

    Chapter  Google Scholar 

  6. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)

    Google Scholar 

  7. Dorey, K., Chang-Fong, N., Essex, A.: Indiscreet logs: Diffie-Hellman backdoors in TLS. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)

    Google Scholar 

  8. Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)

    Google Scholar 

  9. Dzieduszycka-Suinat, S., et al.: The future of voting: end-to-end verifiable internet voting - specification and feasibility study. US Vote Foundation (2015)

    Google Scholar 

  10. Essex, A.: Detecting the detectable: unintended consequences of cryptographic election verification. IEEE Secur. Priv. 15(3), 30–38 (2017)

    Article  Google Scholar 

  11. Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, more POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_8

    Chapter  Google Scholar 

  12. Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22270-7_3

    Chapter  Google Scholar 

  13. Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), RFC 6797 (2012)

    Google Scholar 

  14. Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: NDSS (2015)

    Google Scholar 

  15. Marlinspike, M.: More tricks for defeating SSL in practice. Black Hat USA (2009)

    Google Scholar 

  16. Moher, E., Clark, J., Essex, A.: Diffusion of voter responsibility: potential failings in E2E voter receipt checking. USENIX J. Election Syst. Technol. (2015)

    Google Scholar 

  17. Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1631–1648. ACM (2017)

    Google Scholar 

  18. Rescorla, E.: The transport layer security (TLS) protocol version 1.2, RFC 5246 (2008)

    Google Scholar 

  19. Rescorla, E.: The transport layer security (TLS) protocol version 1.3 (draft 28) (2018)

    Google Scholar 

  20. Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS). RFC 7457 (2015)

    Google Scholar 

  21. Springall, D., et al.: Security analysis of the Estonian internet voting system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 703–715. ACM (2014)

    Google Scholar 

  22. Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman (eprint). In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)

    Google Scholar 

  23. Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., Heninger, N.: Factoring as a service. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 321–338. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_19

    Chapter  Google Scholar 

  24. Western Australian Electoral Commission: 2017 State General Election Election Report (2017)

    Google Scholar 

  25. Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_28

    Chapter  Google Scholar 

Download references

Acknowledgements

Thanks to Ben Adida, Kirsten Dorey, Lucas Garron and the anonymous reviewers.

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Western University, London, ON, Canada

    Anthony Cardillo & Aleksander Essex

Authors
  1. Anthony Cardillo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aleksander Essex
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aleksander Essex .

Editor information

Editors and Affiliations

  1. Tallinn University of Technology, Tallinn, Estonia

    Robert Krimmer

  2. Karlsruhe Institute of Technology, Karlsruhe, Germany

    Melanie Volkamer

  3. LORIA, Vandoeuvre-lès-Nancy Cedex, France

    Véronique Cortier

  4. Australian National University, Canberra, ACT, Australia

    Rajeev Goré

  5. University of New South Wales, Canberra, ACT, Australia

    Manik Hapsara

  6. Ritsumeikan University, Kusatsu, Shiga, Japan

    Uwe Serdült

  7. Tallinn University of Technology, Tallinn, Estonia

    David Duenas-Cid

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cardillo, A., Essex, A. (2018). The Threat of SSL/TLS Stripping to Online Voting. In: Krimmer, R., et al. Electronic Voting. E-Vote-ID 2018. Lecture Notes in Computer Science(), vol 11143. Springer, Cham. https://doi.org/10.1007/978-3-030-00419-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00419-4_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00418-7

  • Online ISBN: 978-3-030-00419-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation