Securely Opening PDFs Gotten By Email or Fax

From Tama Hacks
Jump to navigation Jump to search

Lots of election administrators in U.S. counties and states require to get and open PDF files from citizens. A few of these administrators get these PDFs as e-mail accessories. These might be filled-out citizen registration kinds, or perhaps voted tallies from UOCAVA (abroad and military) citizens. All of us understand that malware can prowl in e-mail accessories; how can those election authorities safeguard themselves from being hacked?

Web return of voted tallies is naturally insecure; that's a different problem and I'll discuss it listed below. In the meantime, how can one securely open a PDF accessory?

I discussed this concern with Dan Guido, cybersecurity specialist and CEO of trailofbits.com. The safe method to see a PDF is inside the Chrome or Firefox internet browser. Printing a PDF straight from Chrome (or Firefox) to your printer is fairly safe. The risky method to see a PDF is with your preferred PDF-viewer app such as Adobe Reader.

The factor is easy: Google (for Chrome) and Mozilla (for Firefox) have actually put huge effort into making their PDF audiences safe, putting them inside a "sandbox" that the hackers can't leave - and they have actually mainly prospered.

The PDF file format has numerous odd functions and intricate performance that are not required for basic files. Chrome and Firefox do not trouble to comprehend the odd functions: they focus on getting the typical functions showed securely. On the other hand, Adobe Reader does deal with all the functions of PDF; that's a much bigger thing to get completely right, and (maybe) security is not Adobe's greatest concern.

In some cases that indicates that Chrome or Firefox do not render your file correctly; however this is not likely to be an issue for basic files such as optical-scan ballots or voter-registration types.

In some methods that's a bit frustrating. I like Adobe Reader's navigation and document-viewing centers far more than I like the internet browser's integrated PDF screen. However I must beware to utilize Adobe tools just for files whose provenance I understand, or that have actually been otherwise vetted.

If you do conserve your PDF to a file, and are lured to open it later on: once again, you can utilize Chrome or Firefox to open it. (See likewise: PDF.js) If you desire to open it in a full-featured (however less safe) tool, initially utilize a PDF "triage tool" such as PDFid, which will scan the file and inform you if anything looks suspicious.


Is it safe to utilize Fax?
Lots of jurisdictions still allow (or need) types and tallies to be sent out to them by Fax. Is that safe?

When upon a time, a "fax maker" was linked to a "land line" that went through the "phone network." How safe that remained in 1985 is no longer appropriate today, when no one has a "fax maker" and the "phone network" is the Web.

Many citizens, and numerous election administrators, utilize online fax FaxitFast services such as HelloFax. The citizen logs in and submit a PDF file; the fax service transforms it to a fax-format bitstream and sends it into the part of the Web called "the phone system"; the receiver logs in (maybe to a various online fax service) and downloads a PDF file that has actually been transformed from the bitstream.

This has many points of insecurity: the sender's online-fax from macbook air service business might be basically susceptible to hackers (or experts); the receiver's online-best fax to email service service, ditto; and the fax-format bitstream is transferred unencrypted, unauthenticated throughout the phone network.

On the other hand, email can be a lot more protected than that. If you utilize a significant e-mail supplier (such as gmail, Microsoft, fastmail) that understands what it's doing; and if the recipient likewise utilizes a trusted e-mail company, then: your email is published encrypted (and confirmed) to an SMTP server, which goes encrypted (and confirmed) to another SMTP server, which is downloaded encrypted (and confirmed) to the recipient's mail reader. The huge bulk of Web e-mail traffic is safeguarded by doing this.


So e-mail your things, do not fax it.
Is e-mail safe? Can we vote that method?


If email is a lot more safe than it was thirty years earlier, can we securely vote by email?
Sadly, no. Even if Web messages (by email or other procedures) are safe in transmission, the most significant security lapses remain in the server computer systems and particularly in the customer's (citizen's) computer systems. Hackers who can permeate the security of those systems can alter votes prior to they're sent out, or after they're gotten (however prior to they're counted).

Additionally, email is sent out from the citizen's computer system to the SMTP server (at Google, or Microsoft, or fastmail ...) where it is unencrypted and reencrypted for sending out to the receiver's SMTP server (at Microsoft, or fastmail, or Google, ...). It resembles, you mail your absentee tally to your proprietor, who takes it out of its envelope, puts it in a fresh envelope, and mails it to an election authorities. Even if we trust our property owner (and I anticipate Google, Microsoft, and fastmail are doing a great task), should we require to trust this intermediary? The citizenry choose their federal government; we do not delegate this procedure to a couple of huge tech business.

And lastly, 6% of e-mail (that's either outbound or incoming from gmail.com) is still unencrypted-that is, insecure. 6 percent might not look like a lot, however it's countless users.


Is e-mail voter-registration protected enough?
Web return of voted tallies, which is not securable by any recognized innovation. However voter-registration can fairly be done by email: the citizen sends out in a type, possibly a scan-to-PDF of their printed and signed registration kind. The factor this can work, when it can't work for voted tallies, is the capability to investigate the specific deal: after a couple of days, the citizen can examine the status of their registration with the election authorities, or the election authorities can get in touch with the citizen to examine up. So even if there's hacking in the customer or server computer system, it can be identified and remedied. With tallies, we have the secret tally: no one is expected to find out how you voted. Without the capability to examine and fix later on, "did my tally get counted for the individual I chose?", web ballot is insecurable.

Retrieved from "https://tamahacks.com/index.php?title=Securely_Opening_PDFs_Gotten_By_Email_or_Fax&oldid=97972"