Wednesday, September 09, 2015

Gujarat's oneline voting site is "not trustworthy", is "insecure", warn top web browsers Firefox, Chrome

Screenshot of Gujarat's online voting site
through Firefox on Sept 9 morning
By Our Representative
The Gujarat State Election Commission's (SEC's) “offer” a few days back to allow the voters to the state's municipal corporation elections, likely next month, that they could register on its website to avail of the “opportunity” offered by it for online voting, has failed security check on selected, more secure computer devices. As one visited  the website's link for registering on a laptop for online voting, https://onlinevotinggujarat.gov.in/, a security alert declared that the site is not safe.
The SEC is responsible for holding elections to local bodies – municipal corporations, municipalities, and panchayats. It has offered to allow online voting through personal computers sitting at home in major cities such as Ahmedabad, Vadodara, Surat, Rajkot, Bhavnagar and Jamnagar. Municipalities have not been “allowed” the facility.
Browsed on Firefox on the highly-secure Ubuntu (Linux) operating system, after visiting the SEC's website, http://www.sec.gujarat.gov.in/index.htm, which prominently displays the photograph of ex-state chief secretary and SEC chairman Varesh Sinha, as one clicks on “Visit for Online Voting”, one is promptly directed to the online voting site link.
However, instead of allowing one to register for online voting, Firefox prominently declares, “This Connection is Untrusted.”
The message from Firefox reads, “You have asked Firefox to connect securely to onlinevotinggujarat.gov.in, but we can't confirm that your connection is secure.” It adds "Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.”
Asking the question “What Should I Do?”, the browser replies, "If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.”
As one clicks on “technical details” to find out the SEC's online registration site, the browser declares, “onlinevotinggujarat.gov.in uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown.” It adds, “The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.”
This page section ends with the following remark: “(Error code: sec_error_unknown_issuer).” Then it takes one to another link asking, whether “I understand the risk”, adding with the following remark, “If you understand what's going on, you can tell Firefox to start trusting this site's identification.”
Even then, the browser continues to warn, “Even if you trust the site, this error could mean that someone is tampering with your connection. Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification.” Thereafter it takes one to “Add Exceptions...” and leaves one to take the “risk”.
Opening the site  through a top branded tablet on Chrome browser had a similar result. With a big red icon of a bag having a cross in the middle, the warning says, "Your connection is not private", adding, "Attackers might be trying to steal your information from https://onlinevotinggujarat.gov.in  (for example passwords, messages, or credit cards)."
Chrome underlines, "This server could not prove that it is https://onlinevotinggujarat.gov.in; its security certificate is not trusted by your device's operating system. This may be caused by a misconfiguration or an attack intercepting your connection."
It adds, "Proceed to https://onlinevotinggujarat.gov.in (unsafe)." Opening the SEC site from a desktop computer, however, did not result in the warning both on Chrome and on Firefox. It is suspected that the website developers have not have resolved security issues completely before developing the site.
The SEC's “untrustworthiness” comes days after the Supreme Court stay on elections to Gujarat's municipal corporations on a petition filed by a Vadodara citizen, who questioned the formation of new wards for polls, saying they “violated” the principle of reservation.

No comments: