republique-et-canton-de-geneve / chvote-1-0 Goto Github PK

CHVote currently requires a password length of 9-10 characters. On top of that, your composition rules state that the password must contain at least one uppercase character, one lowercase character and one digit. This is not a good password guideline and I think this needs to be updated.

private static boolean isPasswordValid(String newValue) {
     // Length should be between 9 and 10 (incl)
     boolean validLength = newValue.length() >= 9 && newValue.length() <= 10;
     // Password should contain at least one upper, one lower and one digit
     boolean validPattern = newValue.matches(".*[A-Z].*") && newValue.matches(".*[a-z].*") && newValue.matches(".*[0-9].*");
     return validLength && validPattern;
}

Link: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/admin-offline/src/main/java/ch/ge/ve/offlineadmin/controller/PasswordDialogController.java#L56-L62

In case you missed it, NIST updated their password guidelines here: https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers

Verifiers SHOULD permit user-chosen memorized secrets to be at least 64 characters in length.

All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets; Unicode [ISO/ISC 10646:2014] characters SHOULD be accepted as well.

Verifiers SHOULD NOT impose other composition rules (mixtures of different character types, for example) on memorized secrets.

Sorry if I'm reporting this issue in the incorrect place. Hopefully you can help me route it.

http://www.evote-ch.ch/vd incorrectly redirects to https://doc.evote-ch.chvd (note the lack of slash between ch and vd).

If an attacker is able to purchase the chvd top level domain (very unlikely), they could theoretically compromise the election process.

$ curl -v 'http://www.evote-ch.ch/vd'
*   Trying 160.53.75.136...
* TCP_NODELAY set
* Connected to www.evote-ch.ch (160.53.75.136) port 80 (#0)
> GET /vd HTTP/1.1
> Host: www.evote-ch.ch
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 28 Jan 2019 07:21:27 GMT
< Location: https://doc.evote-ch.chvd
< Content-Length: 233
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: TS01e3dc2d=0175768efa8072e65a48d44dfa6c49612c22053b2e1ee970b4397f6c52294d0bf01bf66d65e1a81ae78af0e5c9a493202ec2f7d145; Path=/
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://doc.evote-ch.chvd">here</a>.</p>
</body></html>
* Connection #0 to host www.evote-ch.ch left intact
$

In order to catch as wide an audience as possible, internationalisation is imperative.

I contacted GitHub yesterday (16 Dec) requesting them to add this repo to this showcase: https://github.com/showcases/government

Just FYI. :)

Please use GitHub to schedule releases using tags as well as branches for feature work-flow & discovery. It helps open the repo up as projects are not being used and internal issues don't seem to be getting tracked.

You do not appear to be using separate keys for AES encryption and the HMAC.

BuildMAC()

mac.init(config.getSecretKey());

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/commons-base/commons-crypto/src/main/java/ch/ge/ve/commons/crypto/SensitiveDataCryptoUtils.java#L180

encrypt()

SecretKey secretKey = config.getSecretKey();
cipher.init(Cipher.ENCRYPT_MODE, secretKey, SecureRandomFactory.createPRNG());

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/commons-base/commons-crypto/src/main/java/ch/ge/ve/commons/crypto/SensitiveDataCryptoUtils.java#L272

First off, this is really rad. Just wanted to say that. Thanks Geneva!

I've only looked briefly, so maybe this is already underway.

The idea would be to generate the environments used to carry out all these procedures in a totally deterministic way. So build all the tools used from source, and verify signatures, and provide an environment that citizens can rebuild and check those signatures themselves.

This would be similar to how the Bitcoin build process works, and the tools they've built to support that:
https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md

from https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/docs/system-overview.md#threat-assessment:

The threats to the evoting system are modeled and rated, and include attacker profiles from outside and inside the organization. Furthermore, the abuse cases are built and maintained.

I believe it would be very welcome to have the threat model published along with the system overview documentation. While the architecture and code seems well documented, the motivations driving the security design are crucial and mostly missing.

This would lead to a more efficient and smooth collaboration from the community, allowing to focus security review on the most critical (publicly available) parts of the system depending on the rating and priorities.

For example, #15 raises interesting questions regarding the passwords. Humans are notoriously bad at picking good passwords (especially repeatedly) and there is a consensus that arbitrary composition rules are near useless (humorously depicted in https://xkcd.com/936/). It is then understandable that this topic raises concern. But if overall the passwords are low priority targets in the threat model — and it is clearly stated, then a lengthy discussion about them may be avoided saving everyone's time and energy.

After submitting a vote, the voter gets redirected to the website of the Canton. As some of these websites use Google Analytics and other tracking tools, it's possible to identify voters by analyzing the HTTP referrer. The referrer URL is unique to that extent that it allows to distinguish between regular visitors of evote-ch.ch and voters who actually submitted a vote.

By setting the HTTP header Referrer-Policy to no-referrer (or strict-origin), this leak can be prevented.

To prevent users from ending up on the unencrypted HTTP version of the website, evote-ch.ch may be submitted to the HSTS preloading list. It would ensure that most popular browsers will always use HTTPS to access the evote-ch.ch.

According to various sources, this e-voting platform will be discontinued by the Canton of Geneva. The last commits are several months old. In the meantime, have there been any changes that haven't been pushed yet? If so, this would be a good time before Canton Geneva runs out of time or money to maintain this repository.

It would be great if all the code would be available here. According to the motto: Public Money, Public Code!

The equals() method performs a character-by-character comparison, which terminates as soon as two characters do not match. This form of comparison is therefore vulnerable to timing attacks:

return stringProperty1.getValueSafe().equals(stringProperty2.getValueSafe()) && isPasswordValid(stringProperty1.getValueSafe());

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/admin-offline/src/main/java/ch/ge/ve/offlineadmin/controller/PasswordDialogController.java#L195

This comparison is then performed here:

private BooleanBinding bindForValidity(boolean withConfirmation, TextField electionOfficer1Password, TextField electionOfficer2Password, Label errorMessage, Node confirmButton) {
        BooleanBinding passwordsValid = Bindings.createBooleanBinding(
                () -> withConfirmation ? arePasswordsEqualAndValid(electionOfficer1Password.textProperty(), electionOfficer2Password.textProperty()) : isPasswordValid(electionOfficer1Password.getText()),
                electionOfficer1Password.textProperty(),
                electionOfficer2Password.textProperty());
        passwordsValid.addListener((observable, werePasswordsValid, arePasswordsValid) -> {
            confirmButton.setDisable(!arePasswordsValid);
            errorMessage.setVisible(!arePasswordsValid && withConfirmation);
        });
        return passwordsValid;
    }

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/admin-offline/src/main/java/ch/ge/ve/offlineadmin/controller/PasswordDialogController.java#L171

Unfortunately, I do not know how significant this issue is since you do not have a clear threat model (#17).