[nSLUG] Evoting Rant
rory at unixism.org
Wed Oct 17 08:10:16 ADT 2012
I wish this was surprising.
Given the pool of web application devs outs there, though, it doesn't surprise me at all. I continually run into sites that cost considerable money to build (devs, consultants, etc) and are full of all the classic newbie security holes. Or that use 'encryption' to virtually zero effect.
You'd think more of us had learned a thing or two about secure development over the last decade or so.
Add to that all the complexities inherent in elections and voting, you've got a recipe for disaster.
On 2012-10-17, at 12:08 AM, Daniel AJ Sokolov wrote:
> Let me set this straight: I think that Evoting is a bad idea for any public election. There is but a single group that I would see it warranted for: voters with certain handicaps.
> Putting aside my general approach to Evoting, I have observed what is going on in the HRM. And it is appalling.
> They have sent Login AND Password, in plain visibility, on ONE and the same page in an easily identifiable envelope - and they even put a "do not forward" message on it so voters who are out of town can not evote after all.
> They did not set up DNSSec.
> The website officially supports only certain operating systems and browsers (no word of Linux) and apparently a single screenreader.
> No source code has been disclosed (however, a single HRM employee was tasked with verifying that the source code is perfect - what a relief).
> They are unable to verify fingerprints of the SSL certificates in use. They were very nice, talked to the Returning Officer and called me back: "You just need to type in https and then it is secure."
> Daniel AJ
> nSLUG mailing list
> nSLUG at nslug.ns.ca
More information about the nSLUG