Wednesday, February 27, 2008

Security And The Eclipse Board Elections

So, I just voted in the Eclipse Board elections. I encourage everyone entitled to a vote to do the same.

I'm not feeling the greatest about the security of the whole thing though. My password to login to the voting system was sent via email, which is not a very secure protocol given that the contents are sent out in the clear. Why couldn't I just login using my SSH credentials, which are relatively secure? Granted, the likelihood that someone is sniffing committers' email in an attempt to fraudulently login and rig the board elections is pretty low, but it's the principle of the thing.

Even worse, was that after I voted, the system told me to expect a confirmation email. Ok, great. Except, the confirmation email contains a listing of how I voted for all the candidates. So much for secret ballots. Oy.