, 17 tweets, 5 min read Read on Twitter
So I’m a little torn. Yesterday for fun (yes, I have bad work-life balance) I took a look at some of the @swisspost e-voting code that the agency recently provided under bug bounty. Apparently it’s being used in real elections. 1/
I did maybe an hour’s poking with @SarahJamieLewis, who also has bad work/life balance, and in that hour we found a whole bunch of non-cryptographically-secure parameters being used in their test code. So we commented on it. 2/
Woke up to a tweet from @swisspost informing me that I “may have missed” a note on page 48 of their 163-page protocol spec, that informs the reader of the “production parameters”. They’re not included in the code. 3/
The actual parameters are larger and will be generated using some unspecified process. So I felt a little bad about that, even though on reflection, I don’t exactly know how they could have done a worse job at specifying this. 4/
Maybe if they’d hid them in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard,’ I would have found them. :) 5/
As some kind of penance I spent the day poking through their specs and code and OH LORD I love complicated crypto, but this terrifies even me. I can’t even make sense of some of these code patterns to find the right routines, let alone verify they’re correct. 6/
I think @SarahJamieLewis has done a great job at showing a million different scary things in that code. Go read her timeline. Here’s one just for fun: 7/
In any case, I’m not going to drop a bunch of vulns because I don’t understand this code well enough to find them yet, and Sarah’s comments are worrying enough. Instead I’m going to explain what this thing is supposed to do — and why even the smallest bug is so dangerous. 8/
When you vote, your ballot is encrypted. The magic of this system is that it can do four things:

1. Verify your ballot is legit.
2. Strip away your ID, and cryptographically shuffle ballots.
3. Add the ballots up *without decrypting them*.
4. Decrypt the final tallies. 9/
The beauty of this system is that nobody can see what’s in the ballots. So I could try to vote twice. Or much more worryingly, the shuffle step could just *replace* all the ballots with new ones that elect, say, a Swiss cryptographer to office. 10/
All of these bad things are kept at bay with one of my favorite tools: zero knowledge proofs.

A ZKP makes sure you can’t vote 10,000 times. A ZKP makes sure that the shuffler (mix) doesn’t just throw away and replace all the ballots. (Actually this is a MESS of proofs.) 11/
The wonderful, horrible thing about zero knowledge proofs is that when they work, they’re amazing. When they fail, they can fail *undetectably*. Believe me, I have stories. 12/ fortune.com/2019/02/05/zca…
What I’m trying to get across here is that this is *not* exactly like a bad online voting system, where the attacker maybe has to tamper with thousands of clients. If there are bugs in these proofs, the attacker could potentially do a huge amount of damage. 13/
In the worst case, a malicious or hacked shuffling (mix) server could simply pick the next Swiss president. Or chocolate king —whatever the equivalent is over there.

I kid!! ;)

(Note to self: learn something about the Swiss political system.) 14/
All of this is a long-winded way of saying that, no, a bug bounty is NOT the right tool to evaluate something so complex and fragile. PARTICULARLY when, thanks to enterprise Java, huge portions of the critical code look like this: 15/
So to summarize this long tweet thread: *no* it is not the case (apparently) that this code is trivially broken. *no*, that does not make it safe to use in real elections, nor (as far as I know) has it been audited by anyone competent enough to really bless it. 16/
In summary, that is my story of how I ticked off the Swiss Post office and learned more about Java cryptography than I ever wanted in my head. Fin/
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!