Abstract
Online elections make a natural target for distributed denial of service attacks. Election agencies wary of disruptions to voting may procure DDoS protection services from a cloud provider. However, current DDoS detection and mitigation methods come at the cost of significantly increased trust in the cloud provider. In this paper we examine the security implications of denial-of-service prevention in the context of the 2017 state election in Western Australia, revealing a complex interaction between actors and infrastructure extending far beyond its borders.
Based on the publicly observable properties of this deployment, we outline several attack scenarios including one that could allow a nation state to acquire the credentials necessary to man-in-the-middle a foreign election in the context of an unrelated domestic law enforcement or national security operation, and we argue that a fundamental tension currently exists between trust and availability in online elections.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The largest as a fraction of the electorate is Estonia’s.
- 2.
- 3.
- 4.
- 5.
- 6.
References
How to use iVote. https://www.elections.wa.gov.au/ivote/how-use-ivote. Accessed 15 May 2017
SSL FAQ. http://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ
Adida, B.: Helios: web-based open-audit voting. In: USENIX Security Symposium, pp. 335–348 (2008)
Australian Senate: Economics References Committee: 2016 Census: issues of trust. http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Economics/2016Census/Report
Bell, S., Benaloh, J., Byrne, M.D., Debeauvoir, D., Eakin, B., Kortum, P., McBurnett, N., Pereira, O., Stark, P.B., Wallach, D.S., Fisher, G., Montoya, J., Parker, M., Winn, M.: Star-vote: a secure, transparent, auditable, and reliable voting system. In: Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE 2013) (2013)
Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: Proceedings of Network & Distributed System Security Symposium (NDSS) (2017)
Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan, P.Y., Shen, E., Sherman, A.T.: Scantegrity II: end-to-end verifiability for optical scan election systems using invisible ink confirmation codes. EVT 8, 1–13 (2008)
Cohen, E.: How to make your website invisible to direct-to-origin DDoS attacks. https://www.incapsula.com/blog/make-website-invisible-direct-to-origin-ddos-attacks.html. Accessed 15 May 2017
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by Internet-wide scanning. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security (2015)
Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015). doi:10.1007/978-3-319-22270-7_3
Jonathan (Yoni) Ben-Nun, Rosen, A., Ta-shma, A., Riva, B.: Wombat voting system (2012). https://wombat.factcenter.org
Kiayias, A., Zacharias, T., Zhang, B.: DEMOS-2: scalable E2E verifiable elections without random oracles. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 352–363. ACM (2015)
Lindeman, M., Stark, P.B.: A gentle introduction to risk-limiting audits. IEEE Secur. Priv. 10(5), 42–49 (2012)
MacGibbon, A.: Review of the events surrounding the 2016 eCensus. http://apo.org.au/node/70705
National Institute of Standards and Technology (NIST): NIST Special Publication 800-57, Part 1, Revision 4. Recommendation for Key Management. Part 1: General (2016)
Ryan, P.Y., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à voter: a voter-verifiable voting system. IEEE Trans. Inf. Forensics Secur. 4(4), 662–673 (2009)
Sullivan, N.: DDoS prevention: protecting the origin. https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/. Accessed 15 May 2017
Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., Heninger, N.: Factoring as a service. Cryptology ePrint Archive, Report 2015/1000 (2015). http://eprint.iacr.org/2015/1000
Vissers, T., Van Goethem, T., Joosen, W., Nikiforakis, N.: Maneuvering around clouds: bypassing cloud-based security providers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1530–1541. ACM (2015)
Zeifman, I.: The Bits and Bytes of Incapsula SSL Support. https://www.incapsula.com/blog/incapsula-ssl-support-features.html. Accessed 15 May 2017
Acknowledgements
The authors thank the Western Australian Election Commission for quick acknowledgement and response to our disclosure. Thanks also to Yuval Yarom and the anonymous reviewers for helpful feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Culnane, C., Eldridge, M., Essex, A., Teague, V. (2017). Trust Implications of DDoS Protection in Online Elections. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds) Electronic Voting. E-Vote-ID 2017. Lecture Notes in Computer Science(), vol 10615. Springer, Cham. https://doi.org/10.1007/978-3-319-68687-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-68687-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68686-8
Online ISBN: 978-3-319-68687-5
eBook Packages: Computer ScienceComputer Science (R0)