Page MenuHomePhabricator
Create Task
Maniphest T288924

Private keys visible to anonymous users in SecurePoll dump
Closed, ResolvedPublic
Actions

Description

I noticed that the private keys for signing and encryption for previous SecurePoll dumps were accessible to everyone via the dump feature.

This was previously mentioned in public at T204190#5389157 but I want to note that exposure of private keys was not intentional.

The vote records encrypted by these keys are anonymized by the UI, and anonymized plaintext ballot dumps were already made available for most elections. So there is limited impact for user privacy. That's why I'm not making this a security task.

Encryption of vote records is mostly supposed to be a protection against vote-buying, since we provide the vote record as a receipt to users. If vote records can be decrypted then a user can prove who they voted for, and a third party can verify that the user did not change their vote before the end of the election by confirming that the vote record appears in the dump.

Signing keys are an integrity feature intended to protect voters against alteration of vote records after their votes were cast.

I temporarily enabled the voter-privacy property on all prior elections on votewiki, and I'll submit a patch which removes keys from the dump.

Details

SubjectRepoBranchLines +/-
Filter encryption keys out of public dumpsmediawiki/extensions/SecurePollwmf/1.37.0-wmf.18+4 -2
Filter encryption keys out of public dumpsmediawiki/extensions/SecurePollmaster+4 -2
Customize query in gerrit

Related Objects

Event Timeline

tstarling created this task.Aug 16 2021, 6:41 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2021, 6:41 AM
Stashbot added a comment.Aug 16 2021, 6:41 AM

Mentioned in SAL (#wikimedia-operations) [2021-08-16T06:41:48Z] <TimStarling> on votewiki, set voter-privacy option to 1 on all prior elections T288924

gerritbot added a comment.Aug 16 2021, 6:58 AM

Change 713214 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/extensions/SecurePoll@master] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713214

gerritbot added a project: Patch-For-Review.Aug 16 2021, 6:58 AM
Zabe subscribed.Aug 16 2021, 9:48 AM
gerritbot added a comment.Aug 16 2021, 10:39 AM

Change 713214 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713214

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.19; 2021-08-16).Aug 16 2021, 11:00 AM
Maintenance_bot removed a project: Patch-For-Review.Aug 16 2021, 11:10 AM
gerritbot added a comment.Aug 17 2021, 6:28 AM

Change 713356 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/extensions/SecurePoll@wmf/1.37.0-wmf.18] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713356

gerritbot added a project: Patch-For-Review.Aug 17 2021, 6:28 AM
gerritbot added a comment.Aug 17 2021, 6:51 AM

Change 713356 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@wmf/1.37.0-wmf.18] Filter encryption keys out of public dumps

https://gerrit.wikimedia.org/r/713356

Stashbot added a comment.Aug 17 2021, 6:55 AM

Mentioned in SAL (#wikimedia-operations) [2021-08-17T06:55:51Z] <tstarling@deploy1002> Synchronized php-1.37.0-wmf.18/extensions/SecurePoll/cli/dump.php: T288924 (duration: 00m 58s)

Stashbot added a comment.Aug 17 2021, 6:57 AM

Mentioned in SAL (#wikimedia-operations) [2021-08-17T06:57:04Z] <tstarling@deploy1002> Synchronized php-1.37.0-wmf.18/extensions/SecurePoll/includes/Entities/Election.php: T288924 (duration: 00m 57s)

tstarling closed this task as Resolved.Aug 17 2021, 6:59 AM
tstarling claimed this task.
ReleaseTaggerBot edited projects, added MW-1.37-notes (1.37.0-wmf.18; 2021-08-09); removed MW-1.37-notes (1.37.0-wmf.19; 2021-08-16).Aug 17 2021, 7:00 AM
Maintenance_bot removed a project: Patch-For-Review.Aug 17 2021, 7:10 AM
dom_walden mentioned this in T289186: Write cli tally output to database.Aug 19 2021, 9:00 AM
jrbs mentioned this in T145695: Dump should return decrypted votes.Jul 29 2022, 10:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits