Unclear defense against malicious clients - Githubissues

siv-org / siv

Secure Internet Voting protocol

https://siv.org

Other

13 stars 9 forks source link

Unclear defense against malicious clients #213

Open dglittle opened 3 months ago

dglittle commented 3 months ago

Defense against malicious clients (e.g. a malicious browser extension) are also not described well in the documentation. There's statements about the use of QR codes here, though (again), it is unclear to me what security this actually provides. If I am a malicious SIV server, why wouldn't I direct you to another auth code, or show you a special version of the log?

Originally posted by @mspecter in https://github.com/siv-org/siv/issues/195

arianabuilds commented 2 months ago

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $226.76 from SIV and $157.43 from the Public Vote, for a total of $384.19.

Here's what we noted in our evaluation:

What's interesting about this submission

Yes, current implementation does not make it easy to verify votes against malware, until after votes unlocked.

What takes away from it

We do have a number of ways, including non-electronic verification: https://docs.siv.org/verifiability/personal-vote#manual-verification

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/11