Security

Question

Security

AlZotova opened this issue 3 years ago · comments

Good afternoon, I came across this article on Wikipedia:

In 2010 researchers identified a ballot secrecy vulnerability.[16]
In 2011 and 2016 researchers identified cross-site scripting vulnerabilities. The first endangers sessions of administrators and was promptly patched.[16] For the second, if the attacker is able to get a voter to click a specially crafted link, the voter will land on a modified HELIOS page which can violate ballot secrecy or manipulate votes.[4] It is unclear if the vulnerability has been fixed as of 2019.

tell me if these vulnerabilities have been fixed at the moment?

Ludovit Scholtz · Answer 1 · Fri Apr 29 2022 01:30:36 GMT+0800 (China Standard Time)

If you want to be sure the voting system is not compromised it is better to have onchain votin solution such as vote coin.

It is not volnurable to any replay nor xss attacks as it requires the signature from the third party wallet service usually.

Ben Adida · Answer 2 · Fri Apr 29 2022 03:58:16 GMT+0800 (China Standard Time)

If you want to be sure the voting system is not compromised it is better to have onchain votin solution such as vote coin.

It is not volnurable to any replay nor xss attacks as it requires the signature from the third party wallet service usually.

Hi @scholtz,

I don't think blockchain solutions are the right idea for voting. Of course you can disagree, but please do keep these discussions out of the Helios ticket boards, as that's not the right place.

Ben Adida · Answer 3 · Fri Apr 29 2022 03:59:47 GMT+0800 (China Standard Time)

In 2010 researchers identified a ballot secrecy vulnerability.[16] In 2011 and 2016 researchers identified cross-site scripting vulnerabilities. The first endangers sessions of administrators and was promptly patched.[16] For the second, if the attacker is able to get a voter to click a specially crafted link, the voter will land on a modified HELIOS page which can violate ballot secrecy or manipulate votes.[4] It is unclear if the vulnerability has been fixed as of 2019.

tell me if these vulnerabilities have been fixed at the moment?

Hi @AlZotova: the cross-site scripting issues were resolved. The other issue is mostly a phishing issue, which is mitigated by the fact that voters are notified of their cast votes, with a tracking number.