One Article Review
| Source |  Reversemode |
|---|---|
| Identifiant | 8654595 |
| Date de publication | 2024-01-28 15:16:46 (vue: 2025-03-07 20:12:10) |
| Titre | Finding vulnerabilities in Swiss Post\'s e-voting system: part 3 |
| Texte | Exactly two years ago I brought my blog back to life, after many years of hiatus, with "Finding vulnerabilities in Swiss Post's future e-voting system - Part 1". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program, which I personally recommend. Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess. When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community. As a result, some significant issues were uncovered, so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl, Spanish company specialized in electronic voting systems. After that fiasco, Swiss Post changed their approach, thus acquiring the source code from Scytl and moving to a transparent, open-source focused, in-house development process, which is where they are at now.I've already expressed my thoughts about e-voting, which is a thorny issue for many in the security community. Obviously, bearing in mind what is at stake, all kind of concerns are expected, understandable, and actually, needed. That said, I think that it is also our, we security people, responsibility to properly raise legitimate concerns, while keeping a technically accurate position. For me, this means properly understanding the scope, extent and context for both the e-voting solution and the threats it may face.This can be achieved by carefully studying the 'Protocol of the Swiss Post Voting System' document, which includes their threat model.  The trust assumptions are a key concept to understanding Swiss Post's e-voting system. |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | NoVal |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.