[nSLUG] Evoting Rant

Daniel AJ Sokolov daniel at falco.ca
Wed Oct 17 17:02:13 ADT 2012


On 17.10.2012 11:49, Dop Ganger wrote:
> You stated "They are unable to verify fingerprints of the SSL
> certificates in use", which therefore means the certificate is
> untrusted, yes?

Yes.

> Or did I misunderstand and you expected the officer to validate the SHA
> and/or MD5 fingerprint? If so, you were calling the wrong people - you
> should call the issuer (Verisign) to validate the fingerprint as they
> are the purported issuer of this certificate. In addition, I highly
> doubt you were talking to the person at HRM who requested the
> certificate, and even then if it is an issue of trust the requester is
> not the person to ask to verify as they are not the trusted party in
> this instance.

If I was going to evote I'd have to trust the HRM, otherwise there would 
be no point in voting (which is why I do not vote for the first time in 
my life).

My fear is that some criminal might have set up a server that purports 
to be the evoting server, especially since there is no DNSSec and (what 
seems to be) the HRM Election Office itself tweeted this:

https://twitter.com/VoteHRM/status/254556607017517056

So I ask the election authority to confirm the fingerprint of the SSL 
certificate that I can see in my browser (SHA-1 or SHA-256) of both 
domains used in the process. If they are not the correct person to talk 
to, they should redirect me thither.

Coming back to the local media: They haven't even told the p.t. 
constituents that HRM has outsourced the election to a Spanish 
for-profit company that, judging by IP-address, has their servers in the 
Unites States!

Whatever the company (Scytl) says will be the e-lection result.

Best regards
Daniel AJ



More information about the nSLUG mailing list