[nSLUG] Evoting Rant

Dop Ganger nslug at fop.ns.ca
Thu Oct 18 09:18:52 ADT 2012

On Wed, 17 Oct 2012, Daniel AJ Sokolov wrote:

> If I was going to evote I'd have to trust the HRM, otherwise there would be 
> no point in voting (which is why I do not vote for the first time in my 
> life).

So let me see if I understand what you're saying: you're not sure if you 
trust the certificate from HRM so you're calling HRM to make sure the 
certificate is correct? I think you have misunderstood the technical 
details of SSL and exactly what it is for: the trust is *not* placed at 
the end of the certificate chain (in this case, HRM); the trust is in the 
*root* certificate, in this case, Verisign. If you wish to validate the 
certificate you are absolutely missing the point if you are depending on 
the certificate creator as the point of trust is when the certificate is 
signed. When the certificate is verified by the browser it does not go to 
vote.halifax.ca to verify it, it goes to the owner of the root certificate 
that verified it. Does that make any more sense?

> My fear is that some criminal might have set up a server that purports to be 
> the evoting server, especially since there is no DNSSec and (what seems to 
> be) the HRM Election Office itself tweeted this:
> https://twitter.com/VoteHRM/status/254556607017517056

This, on the other hand, is a valid concern. According to whois records 
the technical contact for halifax.ca is:

Technical contact:
     Name:              Mr Phillip Evans
     Postal address:    5251 Duke St
                        Halifax NS B3J3A5 Canada
     Phone:             +1.9024904444
     Fax:               +1.9024906583
     Email:             evansp at halifax.ca

On a side note, of interest from the whois records:

Name servers:

> So I ask the election authority to confirm the fingerprint of the SSL 
> certificate that I can see in my browser (SHA-1 or SHA-256) of both domains 
> used in the process. If they are not the correct person to talk to, they 
> should redirect me thither.

Why are you expecting an elections officer to know the intricacies of SSL? 
If you are technical enough to be concerned about SSL fingerprints I am 
baffled why you are not talking to the technical contact for the domain.

> Coming back to the local media: They haven't even told the p.t. constituents 
> that HRM has outsourced the election to a Spanish for-profit company that, 
> judging by IP-address, has their servers in the Unites States!
> Whatever the company (Scytl) says will be the e-lection result.

And here is another valid issue.

I think you are conflating the technical issues (and I see no reason why 
an elections officer should be assumed to have a comp sci background, and 
personally I think you should have asked for the technical contact rather 
than throwing technical questions at the elections officer) with a genuine 
political issue regarding the ultimate ownership of the underlying 
elections system. In particular, I think you should be considering (as 
someone else noted to me in a direct email) the implications of the 
PATRIOT Act. You should be asking whether a release has been signed to 
permit all the elections data (including personal information) to be 
transmitted to a third party in the US, for example.

Cheers... Dop.

More information about the nSLUG mailing list