Page MenuHomePhabricator

Private keys visible to anonymous users in SecurePoll dump
Closed, ResolvedPublic

Description

I noticed that the private keys for signing and encryption for previous SecurePoll dumps were accessible to everyone via the dump feature.

This was previously mentioned in public at T204190#5389157 but I want to note that exposure of private keys was not intentional.

The vote records encrypted by these keys are anonymized by the UI, and anonymized plaintext ballot dumps were already made available for most elections. So there is limited impact for user privacy. That's why I'm not making this a security task.

Encryption of vote records is mostly supposed to be a protection against vote-buying, since we provide the vote record as a receipt to users. If vote records can be decrypted then a user can prove who they voted for, and a third party can verify that the user did not change their vote before the end of the election by confirming that the vote record appears in the dump.

Signing keys are an integrity feature intended to protect voters against alteration of vote records after their votes were cast.

I temporarily enabled the voter-privacy property on all prior elections on votewiki, and I'll submit a patch which removes keys from the dump.

Event Timeline

Mentioned in SAL (#wikimedia-operations) [2021-08-16T06:41:48Z] <TimStarling> on votewiki, set voter-privacy option to 1 on all prior elections T288924

Change 713214 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/extensions/SecurePoll@master] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713214

Change 713214 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713214

Change 713356 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/extensions/SecurePoll@wmf/1.37.0-wmf.18] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713356

Change 713356 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@wmf/1.37.0-wmf.18] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713356

Mentioned in SAL (#wikimedia-operations) [2021-08-17T06:55:51Z] <tstarling@deploy1002> Synchronized php-1.37.0-wmf.18/extensions/SecurePoll/cli/dump.php: T288924 (duration: 00m 58s)

Mentioned in SAL (#wikimedia-operations) [2021-08-17T06:57:04Z] <tstarling@deploy1002> Synchronized php-1.37.0-wmf.18/extensions/SecurePoll/includes/Entities/Election.php: T288924 (duration: 00m 57s)

tstarling claimed this task.