Read on Twitter
OK everyone has seen the reports of glitches with voting machines, specifically those run by DominionVoting. There’s some interesting info to be aware of and which I’m going to expand on along with some others. Thread follows….
https://twitter.com/kylenabecker/status/1324934259199664129 DominionVoting systems can be connected to the internet.
A diagram of the system topololgy shows the external connection points.
Let’s take a look at a few potential issues with DominionVoting website and security.
Content Security Policy (CSP) header not implemented. Content Security Policy (CSP) is an HTTP header that allows website operators greater control over where resources on their site can be loaded from.
The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. CSP is strongly recommended for all existing high-risk sites, of which DominionVoting would qualify.
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript – either reflected or stored – means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript.
By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.
Network security. DNSSEC not enabled. DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.
HTTP Strict Transport Security (HSTS) header not implemented. HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.
This is important because HTTPS is an extension of the Hypertext Transfer Protocol. It is used for secure communication over a network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security or, formerly, SSL.
Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS. HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.
Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks.
Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS which helps mitigate.
So what is it? Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.
For example, JavaScript code on http://jquery.org that is loaded from http://mozilla.org has access to the entire contents of everything of http://mozilla.org .
If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it.
The use of subresource integrity is should be mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.
X-Content-Type-Options header not implemented. X-Content-Type-Options is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type.
Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites should set the X-Content-Type-Options header and the appropriate MIME types for files that they serve.
X-Frame-Options (XFO) header not implemented. X-Frame-Options is an HTTP header that allows sites control over how your site may be framed within an iframe. iframes are a secure method of embedding content from other sites onto your own page.
If not secured properly, the site is vulnerable to clickjacking. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all.
As such, the use of the X-Frame-Options header should mandatory for all new websites. Note that X-Frame-Options has been superseded by the Content Security Policy’s frame-ancestors directive, which allows considerably more granular control over the origins allowed to frame a site
As frame-ancestors is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ X-Frame-Options in addition to using CSP.
Sites that require the ability to be iframed should use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.
X-XSS-Protection header not implemented X-XSS-Protection is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don’t yet support CSP.
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.
I should add a final comment. My thread has zero to do with politics nor is this a reflection of any political preference of mine. This is about the integrity & security of our election process & the systems that support it. This has been a problem since long before this election
