Page MenuHomePhabricator
Create Task
Maniphest T271830

Allow election decryption key to be submitted via the TallyPage form
Closed, ResolvedPublic5 Estimated Story Points
Actions

Assigned To
Tchanders
Authored By
Tchanders
Jan 12 2021, 4:41 PM
Tags
Referenced Files
F34023018: image.png
Jan 25 2021, 10:38 PM
F34023012: image.png
Jan 25 2021, 10:38 PM
F34023016: image.png
Jan 25 2021, 10:38 PM
F34023014: image.png
Jan 25 2021, 10:38 PM
F33997352: Screenshot 2021-01-13 at 9.46.48 AM.png
Jan 13 2021, 4:22 AM
Subscribers
Aklapper
dom_walden
jrbs
Niharika
Prtksxna
STran
Tchanders
View All 9 Subscribers

Description

Motivation

There is no way to conduct tallying for encrypted elections via the web interface currently. The process demands the admin to enter the decryption key into the command line after logging on to the server. The server generates a tally and produces it back on the command line.

A major reason for encrypting votes is so that results can't be looked up while the voting is ongoing. It also prevents disclosure of how users voted. More details: https://wikitech.wikimedia.org/wiki/SecurePoll#Encryption

We want to simplify this process for the election admins and allow them to conduct tallies for encrypted elections via the web interface.
See investigation task: T269029: Investigate issues with Tally function in SecurePoll [8Hr]

Requirements

This task is for allowing the key to be entered via a form field on TallyPage, so that election admins can tally an election without first putting the key on the server.

Screenshot 2021-01-13 at 9.46.48 AM.png (584×1 px, 55 KB)

  • The field for entering the decryption key should only appear for encrypted elections.
  • Once the decryption key is submitted, start the process for tallying the election on the server
  • A progress bar (possible?) should be displayed to the user while the results are being computed
  • Display the election results back on the tally page, once complete

This task is not for removing the key from the server. Whether we can stop storing the key on the server once this is done will need to be discussed among election admins.

Details

SubjectRepoBranchLines +/-
Allow decrption key to be entered via tally pagemediawiki/extensions/SecurePollmaster+102 -19
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Jan 12 2021, 4:41 PM
Restricted Application added a project: Platform Engineering. · View Herald TranscriptJan 12 2021, 4:41 PM
Niharika moved this task from Untriaged to Design on the Anti-Harassment board.Jan 12 2021, 7:06 PM

@Prtksxna You can use this task to add the design.

Niharika moved this task from Design to Triage/To be Estimated on the Anti-Harassment board.Jan 12 2021, 7:15 PM
Prtksxna added a comment.Jan 13 2021, 4:22 AM

We can add a text input to enter the key and decrypt the page

Screenshot 2021-01-13 at 9.46.48 AM.png (584×1 px, 55 KB)

A couple of questions:

  • The decryption takes ~10 minutes, will we be able to show a progress bar? Or should we think show a loading indicator that doesn't show progress?
  • Can the user leave the page after clicking the button? What would happen if they do?
  • If they close the page and come back to it can we show the state (still decrypting…)?
  • Should we enforce that the key cannot be entered till the end of voting?
Niharika triaged this task as Medium priority.Jan 13 2021, 5:07 AM
Niharika updated the task description. (Show Details)
Niharika updated the task description. (Show Details)Jan 13 2021, 5:28 AM
Niharika updated the task description. (Show Details)Jan 13 2021, 6:13 AM
Niharika updated the task description. (Show Details)Jan 13 2021, 5:13 PM
Niharika added a comment.Jan 13 2021, 5:27 PM

Considering this task as a best-case scenario - assuming the results come back fast enough. We'll consider the progress bar if things don't pan out as expected.

ARamirez_WMF set the point value for this task to 5.Jan 13 2021, 5:27 PM
Niharika moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.Jan 13 2021, 5:30 PM
ARamirez_WMF moved this task from Cards ready for development to The Letter Song on the Anti-Harassment board.Jan 13 2021, 5:53 PM
ARamirez_WMF edited projects, added Anti-Harassment (The Letter Song); removed Anti-Harassment.
Tchanders claimed this task.Jan 13 2021, 9:58 PM
Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (The Letter Song) board.
Tchanders added a comment.Jan 14 2021, 6:44 PM

Thanks for the designs @Prtksxna

  • The decryption takes ~10 minutes, will we be able to show a progress bar? Or should we think show a loading indicator that doesn't show progress?

We're hoping this won't be the case after T271824: Improve the efficiency of vote decryption during tallying - would it be OK for us to do this as a separate task if it is still a problem?

  • Can the user leave the page after clicking the button? What would happen if they do?
  • If they close the page and come back to it can we show the state (still decrypting…)?

Similar to the above, we're hoping that it will be like a normal form submission with results loading quickly. So it would work like any form - if you leave after submitting, you'll have to go back and resubmit. As above, could we move this to a future task if still a problem?

  • Should we enforce that the key cannot be entered till the end of voting?

I agree we should. The TallyPage already has handling for this: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/SecurePoll/+/ddc4e600cfeefd847c1d498eab7df289364e7bf9/includes/Pages/TallyPage.php#46

Prtksxna added a comment.Jan 15 2021, 3:17 AM
In T271830#6748774, @Tchanders wrote:

We're hoping this won't be the case after T271824: Improve the efficiency of vote decryption during tallying - would it be OK for us to do this as a separate task if it is still a problem?

Similar to the above, we're hoping that it will be like a normal form submission with results loading quickly. So it would work like any form - if you leave after submitting, you'll have to go back and resubmit. As above, could we move this to a future task if still a problem?

Yep, that makes sense.

AMooney removed a project: Platform Engineering.Jan 19 2021, 2:12 PM
Tchanders renamed this task from Allow election encryption key to be submitted via the TallyPage form to Allow election decryption key to be submitted via the TallyPage form.Jan 22 2021, 7:28 PM
Tchanders updated the task description. (Show Details)
Tchanders mentioned this in T272758: Use HTMLForm submission infrastructure in TallyPage forms.Jan 22 2021, 10:55 PM
gerritbot added a comment.Jan 25 2021, 10:05 PM

Change 658440 had a related patch set uploaded (by Tchanders; owner: Tchanders):
[mediawiki/extensions/SecurePoll@master] Allow decrption key to be entered via tally page

https://gerrit.wikimedia.org/r/658440

gerritbot added a project: Patch-For-Review.Jan 25 2021, 10:05 PM
Tchanders moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Jan 25 2021, 10:18 PM
Tchanders mentioned this in T272916: Combine TallyPage forms into one.Jan 25 2021, 10:36 PM

Here's how the form looks in different situations:

Unencrypted election (unchanged by this task):

image.png (202×298 px, 7 KB)

Encrypted election with a key in the database (unchanged by this task):

image.png (398×778 px, 29 KB)

Encrypted election with no key in the database:

Before this taskAfter this task
image.png (118×683 px, 12 KB)
image.png (698×780 px, 41 KB)

Now that the forms are more complicated, they should probably be one form rather than repeating the fields. Have filed T272916 for this.

gerritbot added a comment.Jan 27 2021, 11:11 AM

Change 658440 merged by jenkins-bot:
[mediawiki/extensions/SecurePoll@master] Allow decrption key to be entered via tally page

https://gerrit.wikimedia.org/r/658440

STran moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (The Letter Song) board.Jan 27 2021, 11:33 AM
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.29; 2021-02-02).Jan 27 2021, 12:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 27 2021, 12:10 PM
Tchanders mentioned this in T272716: Convert SecurePoll TallyPage to use OOUI.Feb 1 2021, 3:48 PM
dom_walden moved this task from QA/Testing 🐞 to Done: Q3 (2020-2021) on the Anti-Harassment (The Letter Song) board.Feb 2 2021, 2:43 PM
dom_walden subscribed.

You can enter the private key on the tally page and have it decrypt the results either directly from the DB or from an XML dump you already have.

When on the tally page for election x, if you upload an XML dump it does not validate that the dump is from election x. If the dump is actually from election y (and you have the private key for election y) you can use the form to decrypt election y. You could perhaps use this as a workaround to decrypt election y if you are no longer an election admin for y. But, you would still need to have access to the private key for election y, so you could decrypt the XML dump using other tools if you were so inclined.

I also tested tallying unencrypted results and encrypted results where the private key already exists on the server.

Test Environment: local docker SecurePoll 2.0.0 (3534347) 07:48, 1 February 2021.

Niharika closed this task as Resolved.Feb 8 2021, 4:21 AM
In T271830#6796210, @dom_walden wrote:

You can enter the private key on the tally page and have it decrypt the results either directly from the DB or from an XML dump you already have.

When on the tally page for election x, if you upload an XML dump it does not validate that the dump is from election x. If the dump is actually from election y (and you have the private key for election y) you can use the form to decrypt election y. You could perhaps use this as a workaround to decrypt election y if you are no longer an election admin for y. But, you would still need to have access to the private key for election y, so you could decrypt the XML dump using other tools if you were so inclined.

Thanks for checking this, @dom_walden. I wondered about this. I imagine this is acceptable if the user has access to both the decryption key and the dump.

@jrbs I want to flag this for you.

I also tested tallying unencrypted results and encrypted results where the private key already exists on the server.

Test Environment: local docker SecurePoll 2.0.0 (3534347) 07:48, 1 February 2021.

Niharika closed subtask T272716: Convert SecurePoll TallyPage to use OOUI as Resolved.Feb 8 2021, 7:20 AM
Niharika closed subtask T272758: Use HTMLForm submission infrastructure in TallyPage forms as Resolved.Feb 8 2021, 12:41 PM
Reedy mentioned this in T288712: Why are numerous Crypt functions static and called non statically?.Aug 12 2021, 3:17 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL