Jump to content

User:Bugghost/Securepoll notes

From Wikipedia, the free encyclopedia

In order to understand SecurePoll a bit better, I've run some testing on a local Mediawiki instance.

Anyone is free to edit this page if they feel there's anything incorrect/missing here.

Settings

[edit]

I used the most vanilla setup of Mediawiki. This was a fresh install following these instructions, then I added the SecurePoll extension, and then added these user groups (which is analogous to the current AELECT proposal): 

$wgGroupPermissions['electionclerk']['securepoll-create-poll'] = true;
$wgGroupPermissions['electionclerk']['securepoll-edit-poll'] = true;

$wgGroupPermissions['scrutineer']['securepoll-create-poll'] = true;
$wgGroupPermissions['scrutineer']['securepoll-edit-poll'] = true;
$wgGroupPermissions['scrutineer']['securepoll-view-voter-pii'] = true;

$wgSecurePollUseLogging = true;

Note that Scrutineers have all the capabilities that Election clerks have. For AELECT, the CheckUser group will be used instead of a specific "Scrutineer" group, but they will have the same permissions.

Testing

[edit]

Permissions

[edit]
Action Regular user Non-Added Election clerk/ Scrutineer Added Election clerk Added Scrutineer
Vote in election
Create a poll n/a
See list of users who voted
See individual votes
See results total tally
See voter IP address and user agent
Strike votes
Unstrike votes
View vote strike logs
View SecurePoll logs
Can edit polls questions once a poll is live
Can edit poll questions before start
Can add/remove users to a poll

Note: see below of an explanation of "Added" vs "Non-Added".

Creating a poll

[edit]
Securepoll create poll screen. Polls can also be created via xml which allows you to set more properties, but overall looks like a bit of a faff.

There are a lot of different options here. See the screenshot.

From playing around with the options, it looks like the best options for a admin-election style poll is to do a histogram vote with the options -1, 0 and +1, with custom labels (Oppose, Neutral, Support respectively). Not sure what we used for the election trial, but I assume it was that.

Encryption

[edit]

Creating a new poll with encryption requires an encryption key and a signing key. These can be generated using openssl. I did the following (I'm on Windows, just using a standard openssl install that was bundled with git-for-windows): 

openssl genrsa -out keypair.pem 2048

openssl rsa -in keypair.pem -pubout -out encryptionkey.crt

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out signingkey.key

This spits out three files - encryptionkey.crt, signingkey.key and keypair.pem. Use the first two to fill in the openssl options - open up the files in a plain text editor and paste the content in. The encryption key will be needed later to view the results. Keep all three secret.

Encryption is optional. The only difference it makes it is whether the server maintainer (ie. WMF) can theoretically look at the results, and it adds the possibility of someone losing the key and scuppering the whole thing.

Adding users to polls

[edit]

SecurePoll has a concept of adding what it calls "admins" (what we're calling election clerks/scrutineers) to polls. When creating a poll, the creator needs to specify the users who are able to administrate it (including scrutineers). It is not possible to add users to a poll that has closed. This personally makes me nervous of a scenario where a poll has ended with no scrutineers added to it - which means that the poll cannot be scrutineered at all, because one cannot be added to it after the fact.

Any user (election clerk or scrutineer) that has been added to a poll can:

  • Edit the questions (before the poll is live)
  • Add other election clerks/scrutineers to the poll (before the poll has ended)
  • Remove other users from the poll (including those that added them)
  • See the result tally (after the vote has concluded)
  • Strike votes by particular users (after the vote has concluded)

Users cannot add themselves to other polls indiscriminately.

Strike/unstrike vulnerability

[edit]
Example of a vote details screen (as seen by an Electionclerk), which shows the strike log. This example shows a vote that has been struck/unstruck twice, while I was testing this vulnerability. There is not a centralised way of seeing strikes/unstrikes for all votes - you can only see this info for individual vote details. This screen is visible only to Electionclerks and Scrutineers.

It looks like there is a way for election clerks/scrutineers to figure out how individual users voted. They would need to:

  • Request a vote tally (which requires the encryption key, if the poll is encrypted)
  • Strike a user's vote
  • Request another vote tally
  • Compare the tallies to determine how the user voted
  • Unstrike the vote to cover their tracks

This would be hard to prevent, and difficult to detect by a non-clerk. Nothing is stopping scrutineers or election clerks from striking votes, and there aren't limits to the number of times they request a tally. There are logs whenever a election clerk/scrutineer generates a tally (available at Special:SecurePollLog), and logs for votes being struck or unstruck (available on the individual vote's Details page), but both of these are only viewable to election clerks/scrutineers, not the general public.

There is a phab ticket to look into this.

Retrieved from "https://en.wikipedia.org/w/index.php?title=User:Bugghost/Securepoll_notes&oldid=1288444838"