search

glondu / belenios

Verifiable online voting system. This is a mirror of https://gitlab.inria.fr/belenios/belenios
https://www.belenios.org
GNU Affero General Public License v3.0
131 stars 20 forks source link

Pass voting credentials by link #49

Open albanbruder opened 2 years ago

albanbruder commented 2 years ago

From the voter's perspective, it would be nice if we could skip the step of entering the credential in the booth.

Since the credential is a key part of the voting process, we could pass the credential in the voting link to the voting booth. E.g.: We could send the following link by email: https://belenios.loria.fr/elections/:id/#credential=123-456-789-abc-deN The credentials input could be filled in automatically and the first step of the voting process could be skipped.

Note: Query parameters do not work here because they are sent to the server, but the anchor tag is not.

What do you think about this feature? Do you think this poses some kind of risk?

pgaudry commented 2 years ago

It seems to me that there is no theoretical security problem with what you propose. However, Human Factor and UX come into play, and we must be careful before doing such a change. In the present email, this is kind of obvious that the message contains personal security data. The code is made very visible. Hiding this personal information in a link might cause situations where the voter does not realize that this is a personal link and forwards the email to a friend/colleague who asks "Do you know where is the link for voting?" This is the only security risk I can think of, and this does not mean that this is a no-go, but still calls for carefulness.

glondu commented 2 years ago

I've implemented the feature for the election homepage (via #c=123-456-789-abc-deN) and both booths (via #credential=123-456-789-abc-deN). The election homepage automatically forwards the credential to the booth, if present. So, (with the next release), credential authorities will be free to send direct links. For now, emails sent in automatic mode do not (we need to work on the wording).

albanbruder commented 2 years ago

Thank you @glondu. This truly looks great. However, I also understand the concerns raised by @pgaudry. The problem with users (accidentally) sharing their personal voting information with others exists in the current mode as well. Maybe we can make the whole thing optional. (Either through the interface or only for manual mode with the separate credential authority).