1.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Christian Folini / @ChrFolini
Securing Access to
Internet Voting with the
OWASP ModSecurity
Core Rule Set

2.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Plan for Today
⚫ Intro to the OWASP ModSecurity Core Rule Set
⚫ History of Internet Voting in Switzerland
⚫ Applying ModSec & CRS for maximum security

3.
Baseline / 1st
Line of Defense
Safety Belts

4.
ModSecurity
Embedded • Rule oriented • Granular Control

5.
Redir.:
RFI:
LFI:
XSS:
SQLi:
CRS3
Default Install
Redir.:
RFI:
LFI:
XSS:
SQLi:
0%
0%
-100%
-82%
-100%
Research based on
4.5M Burp requests.

6.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Numbers by Tuomo Makkonen
https://blog.fraktal.fi/cloud-waf-comparison-part-2-e6e2d25f558c

7.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!

8.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!

9.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!

10.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!

11.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
true positive

12.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
true positive
false positive

13.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
true positive
false positive
false negative
$$$

14.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more false positives
Online banking level security
Paranoia Level 4: Crazy rules, many false positives
Nuclear power plant level security
Paranoia Levels

15.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more false positives
Online banking level security
Paranoia Level 4: Crazy rules, many false positives
Internet Voting level security
Paranoia Levels

16.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
False Positives (FPs)
• FPs are expected from PL2
• FPs are fought with rule exclusions
• Rule exclusion tutorials at netnea.com
• Rule exclusion software c-rex.netnea.com
• Attend one of my courses via netnea.com

17.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Summary OWASP Core Rule Set
• 1st
Line of Defense against web application attacks
• Generic set of deny-rules for WAFs
• Blocks >80% of web application attacks by default
• Paranoia Levels can push this in the >95% region
• Granular control over the behavior of the WAF
down to the parameter level

18.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Voting in Switzerland
Photo: Gian Ehrensberger

19.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Process Around Swiss Mail-in Ballots
Killer / Stiller : The Swiss Postal Voting Process and its System and Security Analysis

20.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Typical Swiss Election Ballot

21.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Typical Swiss Election Ballot
Bonus points for spotting
the content manager
from Butt-ville.

22.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
"We simply can’t build an Internet voting
system that is secure against hacking
because of the requirement for a
secret ballot."
Bruce Schneier, Online Voting Won’t Save Democracy,
The Atlantic, May 2017
Key Argument against Internet Voting

23.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective

24.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad

25.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
• Visually impaired and quadriplegic voters

26.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
• Visually impaired and quadriplegic voters
• Formally invalid ballots

27.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
• Visually impaired and quadriplegic voters
• Formally invalid ballots
• Security issues of physical voting

28.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
The Cantons of Switzerland
Graphic: Wikipedia

29.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2008 2009 2011
2004
2000
1st project
1st Geneva trial
Entering Scytl
Consortium
Steering Board
1st Swiss internet voting project
is launched with three pilot
cantons.
Swiss expats are allowed to vote
via Scytl internet voting system
in canton Neuchâtel.
Federal administration and
cantons establish a joint steering
committee.
Canton Geneva runs the first
Swiss internet voting trial.
Eight Swiss cantons form a
consortium and commission
Swiss branch of American Unisys
with the creation of an internet
voting system.

30.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
2016 2017
2015
2011
Steering Board
Consortium dies
Scytl/Swiss Post join
Mainstreaming attempt
Federal administration and
cantons establish a joint steering
committee.
Spanish Scytl and Swiss Post
form joint venture and go into
production.
The eight consortium cantons
throw towel after federal
administration barrs system
from use in national elections.
The federal chancellor calls for
2/3 of the cantons to offer
internet voting for national
elections in 2019.
Timeline Internet Voting in Switzerland

31.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Geneva Quits
Source: Twitter: @GE_chancellerie (1141332323025195009)
2018: Development stopped
2019: System terminated

32.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2018 2019
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
Source Code Publication
Bug Bounty
Spanish Scytl and Swiss Post
form joint venture and go into
production.
Political quarrels lead to Geneva
stopping all further
development. A year later, the
system is terminated.
The federal chancellor calls for
2/3 of the cantons to offer
internet voting for national
elections in 2019.
Scytl / Swiss Post publish the
source code of their system and
run a 4 week bug bounty.

33.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Swiss Post Bug Bounty: We got this!

34.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Swiss Post / Scytl Source Code: Not so good
to be continued ...

35.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2018 2019 2020
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
Source Code Publication
Rebooting
Spanish Scytl and Swiss Post
form joint venture and go into
production.
Political quarrels lead to Geneva
stopping all further
development. A year later, the
system is terminated.
The steering board establishes a
dialog with 25 scientists to
assess viability of internet voting
and support with writing new
regulation.
The federal chancellor calls on
2/3 of the cantons to offer
internet voting for national
elections in 2019.
Scytl / Swiss Post publish the
source code of their system.
Researchers identify three
critical vulnerabilities within
weeks. The system is put on
hold.

36.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting.html
Scientific report

37.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2020.4 2020.7 2020.11
2020.3
2020.2
Survey
Covid-19 hits
Online dialogue
Additional research
Scientific report
The dialogue starts with a survey
over 62 questions sent to 25
scientists
The workshops are replaced
with a 12 weeks online dialogue
on a dedicated gitlab platform.
The steering board publishes the
70 pages report with the re-
commendations of the scientists.
When the on-site workshops
were slowly taking shape,
Switzer-land entered a lock-
down and the on-site gatherings
had to be called off.
Several separate re-search
articles are commissioned with
individual scientists to bring up
more infor-mation on individual
questions.
2021.12
New regulation
Following the public hearing on
a draft new law, the federal
chancellery is meant to put the
new regulation on internet
voting into practice. Swiss Ppost
has announced to return into
production in 2022.

38.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Summary Internet Voting in Switzerland
• Switzerland is a useful test bed for online voting
• Iterative process with strict supervision on federal level
• Expert dialogue with recommendations in 2020
• New regulation 2021
• New online voting trials scheduled for 2022
Download English version of scientifc report / expert dialogue from
https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting.html

39.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
How do you pull this off?

40.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Swiss Post Documentation
• Transparency Initiative (clear advice by scientific report)
• Guidelines how to deploy and tune OWASP Core Rule Set
• https://gitlab.com/swisspost-evoting/e-voting/e-voting-
documentation/-/blob/master/Operations/ModSecurity-CRS-
Tuning-Concept.md

41.
Tune Down to Zero
Absence of False Positives • Trust in Alerts • A Liberating Moment

42.
Positive Security Rule Set
Default Deny • List of Allowed Resources • Reduce Attack Surface

43.
Divide and Rule
Zero tolerance • Ban attackers • fail2ban

44.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Additional Rule Sets Worth Considering
• Monitoring the flow of the application
• Timing and rhythm
• Client Fingerprinting

45.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Defenses Beyond ModSecurity
• Application Layer DDoS
• Quality of Service (QoS)
• IP Reputation / DNS Blacklisting
• GeoIP

46.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Key Elements of a High Security WAF
• OWASP ModSecurity CRS at Paranoia Level 4
• Complementary Positive Security Rule Set
• Application Level DDoS Defense
• QoS
• IP Reputation / DNS Blacklisting
• GeoIP

47.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Questions and Answers, Contact
Contact: @ChrFolini
christian.folini@netnea.com