This dual-subject article serves as an update about some recent security enhancements to the ElectionsOnline website and also some measures to ensure it continues to enjoy virtually 100% availability to permit voting from anywhere, at anytime.
Website Security Enhancements
While it’s very likely to become widespread on the web in the not-too-distant future, ElectionsOnline is proud to announce it’s among the early adopters of site-wide SSL (also referred to as always-on SSL). SSL stands for Secure Sockets Layer and is the protocol used by websites to encrypt the transmission of data between a website and a person’s web browser. You see it in action when a site uses https instead of just http in front of the actual web address. Historically, websites that required login, or that processed payment transactions would implement SSL on those sections of the website to keep the transmission of personal information secure from anyone who might be eavesdropping or attempting to hijack data as it moves “across the wire.” ElectionsOnline has historically been an example of such a site as traffic to both the ballot and My account sections has always been encrypted. But as of November 2014, the entire site enforces the use of SSL. The reason is not so much that any data you submit is encrypted during transmittal, since you’re not transmitting anything when just perusing a website. Instead, the reason is trust. Encrypting only select areas of a website still leaves the unencrypted sections exposed to certain types of vulnerabilities. While these vulnerabilities are nothing that would compromise a site visitor’s personal information, it’s still theoretically possible the content itself could be altered or otherwise compromised while being delivered from the website to the browser. Referred to as man in the middle attacks. Were this to actually happen, what you see in your browser might not be what was actually sent by the server. By implementing site-wide SSL, you can trust that any information you access on this site has not been tampered with as it moved across the wire on its way to your browser.
So why implement this now? Historically, serving a page across an encrypted connection has been a relatively processor-intensive operation. The website and your browser needed to negotiate a handshake and agree that this page is about to be served encrypted. Encryption keys needed to be exchanged and the whole process simply consumed a server’s resources and slowed down overall site responsive. But web servers have evolved and reached the point where any added overhead to a secure connection is only nominal and not reason enough to dissuade a site owner from using it for everything.
To further preserve performance and enhance security while making the switch to site-wide SSL, ElectionsOnline has also implemented HSTS, HTTP Strict Transport Security. On an initial visit to this website, the server will pass along a command in the header of the request that instructs a browser to make sure any subsequent requests to the same website are only done across a secure, https connection without relying on the user doing anything out of the ordinary to make it happen. It not only improves performance since the server doesn’t have to redirect non-encrypted requests to encrypted ones, but it’s also an added layer of security against man in the middle attacks.
If you’re now alarmed into believing you have to rush out and spend thousands of dollars to implement site-wide SSL on your own personal blog that you share with family and friends, don’t be. This isn’t necessary or even appropriate for every site, but investments in security and trust are more warranted when the nature of a web site’s purpose are things like financial, medical, breaking news, and of course elections.
Website Reliability Enhancements
For years this website has been hosted in a cloud environment, enjoying all the redundancy that is inherent with that, and there’s little more that can be done to keep it up and running, essentially 100% of the time, from a hardware and network standpoint. That said, it is inevitable that the occasional configuration modification to the software side of the web server is necessary. A case in point is discussed just above about implementing HSTS. Doing that required a modification to a configuration file on the server which does have the potential to impact site availability even when the hosting environment itself is functioning normally. To be alerted to any issues about site availability in situations like this, ElectionsOnline has partnered with SiteUptime. SiteUptime requests pages from the site around the clock at regularly-scheduled intervals. Should any such request not respond as expected, alerts are immediately sent so the matter may may be responded to as quickly as possible.
Live reporting with statistics captured from SiteUptime is publicly viewable on this website at any time just by visiting https://www.electionsonline.com/uptime.cfm, or by typing “uptime” into the search box.
These are both positive developments that further exemplify ElectionsOnline’s continuing commitment to maintaining a secure and reliable platform for organizational elections.