I'm a little bit surprised about today's Schneier blog post " Security Vulnerability of Switzerland’s E-Voting System " Just to add some context before continuing: I've been researching into that specific e-Voting system since 2022. I've reported quite a few vulnerabilities (I hold the 1st place in the 'SwissPost e-Voting' Bug Bounty program), also publishing detailed write-ups for some of these security issues. Even today I got some really bad vulnerabilities still being reviewed. I understand, and support, all the precautions about e-Voting technologies security people usually express. That said, I can't understand the commonplace assertions that depict e-Voting as an unsolvable problem in general terms, which would irremediably leave us with just the 'paper' option. However, the worst part is that the issue described in that article, that apparently sustains the subsequent reasoning, is not even a vulnerability but a malware-b
-------------- Update from 06/10/2023 : following my publication, I’ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings: We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores. Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted. From the beginning of “France Identite” program, it was decided to implicate cybersecurity community,