Western Australia's Web votes have security worries, say 'white hat' mathematicians

The Western Australian government is pushing back against concerns about the security of its implementation of the iVote electoral system.

iVote is an electronic system already used in another Australian State, New South Wales, primarily as an accessibility tool because it lets the vision-impaired and others with disabilities vote without assistance.

Perhaps in response to last year's Census debacle, Western Australia has decided to put in place denial-of-service (DoS) protection, and that's attracted the attention of a group of veteran electronic vote-watchers.

Writing at the University of Melbourne's Pursuit publication, the group notes that the DoS proxy is not in Australia: it's provided by Imperva's Incapsula DoS protection service.

That raises several issues, the academics (Dr Chris Culnane and Dr Vanessa Teague of the University of Melbourne, Dr Yuval Yarom and Mark Eldridge of the University of Adelaide, and Dr Aleksander Essex of Western University in Canada) note.

First: the TLS certificate iVote uses to secure its communications is signed not by the WA government, but by Incapsula; and second, that means Incapsula is decrypting votes on their way from a voter to the State's Electoral Commission.

While it would be fatal to Incapsula's business if it weren't trustworthy, the academics are worried about votes existing in decrypted form anywhere but the Electoral Commission, because a suborned employee, someone wandering around Incapsula's systems without authorisation, or US government agencies also stand as “possible eavesdroppers”.

The Western Australian Electoral Commission has issued a “calm down”, telling The West Australian votes have two layers of encryption: one when the vote is cast, and a second for transit (the TLS session that uses the Incapsula certificate).

That's true, white-hat mathematician Dr Vanessa Teague told The Register, adding that the Javascript-based in-browser encryption of votes looks “pretty good” to the group.

However, problems remain, and for these, a little explanation is required.

First, iVote has processes designed to separate the voter's identity from the vote they cast. It does so by using different servers for voter registration and vote-casting.

To register, a voter provides their name and a proof of identity, such as a Medicare number or passport number. From those details, the system generates a pseudonymous user ID and a login PIN.

To guarantee voter anonymity, the server processing votes only knows user IDs and PINs: it knows a registered voter is logging in, but not a voter's identity.

Dr Teague pointed out to The Register that since both registrations and votes pass through the Incapsula proxy, it introduces a location from which an attacker could de-anonymise a voter (for legal reasons, this would be untestable against a live system).

As noted in the Pursuit article: “If you register and vote from the same web browser, a ‘cookie’ stored on your system by Incapsula allows it to link both interactions.”

Second, although the Javascript encryption of the vote is well-designed, because it's passing through the Incapsula proxy the code itself is potentially visible to third parties. This raises a potential man in the middle attack to reveal votes.

The Register has asked the Western Australian Electoral Commission to comment. ®