Sept. 27, 2014 – As many of you know, to help manage this year’s Nomination Committee (NomCom) and Board of Directors elections, PASS implemented a web-based online voting system called Simply Voting, one of the largest and most respected online voting solutions.
In response to questions about the security of member passwords in the voting process, we wanted to share how member passwords were communicated and authenticated between PASS and Simply Voting in June’s NomCom elections, as well as the steps taken to add SSO integration for Simply Votes and to add SSL certificates to all PASS websites to better secure member login information for this year’s Board elections and beyond.
To the best of our knowledge, no PASS member information has ever been compromised or misused by any party. However, protecting the integrity and security of PASS members’ information is paramount. With the steps we’ve taken to tighten security, explained below, we ask that all members take the opportunity this weekend while this information is fresh in your mind to update your password. With these changes, you can make your updates with confidence that your profile information is secure.
SSO Integration for Voting
In our initial implementation of Simply Voting for the NomCom election, we used the system’s standard security option, which prompted the voter for his/her PASS username and password. Simply Voting then passed those credentials via SSL to PASS for validation and at no time stored the voters’ login information.
Simply Voting is certified with TRUSTe, the same certification used by websites such as eBay, Apple, and those of other retail giants. And while the standard Simply Voting implementation is faster and easier for organizations to deploy and the single link to the ballot is more straightforward for voters, there is still risk – however small – associated with giving a third party access to login data.
During the NomCom elections, several community members contacted PASS about the process and expressed concerns about that risk. The PASS Board agreed with the community’s concerns and implemented the stricter single sign-on (SSO) security protocol with Simply Voting for this and future PASS elections.
In the updated SSO solution for the PASS Board elections, voters log in to sqlpass.org to access a personalized voting URL that redirects them to the ballot on Simply Voting. No external log-in is required.
IT updated the API with Simply Voting and made the necessary UI changes under myPASS to set up and display the voting URL to eligible voters. The extra effort was well worth it to ensure the security of member information. While we appreciate that Simply Voting is a TRUSTe certified vendor, the security of our members’ information is our utmost concern.
SSL Certificates for PASS Websites
However, we weren’t quite finished. Community members noted this week that we still had a security vulnerability because PASS’s website didn’t have SSL certificates installed. In the case with Simply Voting, a query string containing the username and salted hash (composed of the username and a system security passphrase) is passed from the PASS website to Simply Voting, which validates the information and allows the member access to his/her ballot. Without an SSL certificate to validate our website's identity and encrypt all information sent to and from it, that string is still viewable and potentially vulnerable.
Over the past 36 hours, the PASS IT team applied SSL certificates to the main sqlpass.org site, our event sites and VC/Chapter sites, as well as SQLSaturday.com (public and admin sites). This effort resolves both the Simply Voting query string issue and the issues our members have raised about overall login security on our sites themselves.
For the peace of mind and security of all PASS members, and especially those who voted in the NomCom elections, we ask that you please take a moment to update your password if you haven’t already. Note that all member passwords are encrypted in the database.
We apologize for the oversight in not having SSL certificates implemented earlier and for the inconvenience this has caused.
Thanks to everyone who provided feedback on better securing PASS’s environment and member information, and please let me know if you have other questions or concerns.
– Adam Jorgensen,
PASS Executive VP, Finance and Governance