Friday, December 29, 2017

OpaVote Security Practices

Some OpaVote customers are nervous about the security of online elections. To reduce risk, OpaVote follows many security best practices, and in this post we explain some of them to reassure you that it is safe to run your elections with OpaVote.

This is a followup post to a previous one where we showed that OpaVote has far better practices than other online election providers as determined by independent third parties.

Hackers have five possibilities in trying to undermine your election:
  1. Breaking into Google servers (OpaVote runs on Google)
  2. Accessing secret codes of voters
  3. Obtaining an election manager's password
  4. Obtaining an OpaVote administrator password
  5. Exploiting possible vulnerabilities in the OpaVote website.
We'll address each of these below.

Google Servers

Google fully maintains all the servers used by OpaVote. Because Google runs many important websites, it goes to great lengths to ensure security. For this reason, we can rely on Google to make sure that servers have been updated with the latest security patches, and that the doors to the server rooms are locked.

Voters

For email voters, we provide each voter with a 128-bit code. This provides a HUGE number of codes. Here is the number written out: 340,282,366,920,938,000,000,000,000,000,000,000,000. If you could try a billion codes per second, then it would take more than a billion years to try all of the codes. For this reason, hackers cannot guess voter codes.

Your voters' email accounts are the weakest link, because many of your voters likely don't have good security practices with their personal email accounts. Though email providers keep getting better in enforcing security practices (e.g., strong passwords) so it is still hard for a hacker to gain access to an individual email account, and much harder to gain access to enough email accounts to have an influence on the election.

Election Managers

This one is mostly up to you. You should be using a strong password for your account and a password that is different from all of your other passwords. Preferably, you login to OpaVote using an existing account (e.g., a Google or Facebook account) with two-factor authentication. If you do create a password at OpaVote, we store only a salted hash of your password so that even if someone broke into OpaVote, there would be no way for them to get your actual password.

OpaVote Administrator

We can access OpaVote servers as administrators using an administrator password. We have only a single password for administrator access, it is strong, it is different from all other passwords used by us at OpaVote, and we have enabled two-factor authentication. This prevents hackers from getting administrative access.

OpaVote Website

There are many different ways that hackers can attack a website, such as by trying to upload harmful code or sniffing Internet traffic. This is a very complicated area, but here are some of the measures we take to prevent attacks on the OpaVote website:

  • All traffic to OpaVote is encrypted using HTTPS and HSTS. Any non-encrypted requests are immediately redirected to encrypted requests.
  • Cookies are encrypted.
  • We don't store any sensitive information, such as credit card numbers. Payments are handled by secure third party providers.
  • To prevent injection attacks and cross-site scripting attacks, all queries are parameterized and user input is escaped. Where we do allow HTML input, we check it against a whitelist to prevent unsafe content.
  • We have tests to continually check that management pages are only accessible to authorized managers.
  • All form inputs use CSRF to prevent hackers from causing you to execute unwanted actions.
To see more details, check out the security grades that OpaVote has received from these independent third parties:
Please feel free to contact us with any questions on our security practices.