Friday, February 11, 2011

Online poll ballot stuffing

What techniques are there to prevent ballot stuffing in online polls while allowing anonymous users to vote?

From stackoverflow deadprogrammer

  • Not many good ones. You could filter out duplicate voters by IP address, but then you limit multiple voters from within one organization who appear to be coming from the same IP address to the outside world.

    You could also try cookies, but anyone who's determined enough can still cheat.

    From Bill the Lizard

  • Logging IP addresses or setting a cookie. But that won't stop people with the will/means to get other IP address or delete cookies.

    From Aaron Maenpaa

  • The most obvious methods are cookies, which can be defeated, and IP tracking, which requires tracking on the server side who has voted and disallowing duplicates. Unfortunately, IP tracking is not perfect either, since some ISPs force all web traffic through proxies.

    From Glomek

  • Cookies is another method, but also not fail proof as people can use multiple computers. If it's really important, require registration and limit each user to one vote (which again isn't foolproof since emails are a dime a thousand).

    Aaron Maenpaa : That doesn't really stop people who are willing to register multiple accounts.
    From John Sheehan

  • You could limit the responses to one per IP, but then you'll be blocking people behind NAT. Really there is no good way. Cookies could be cleared and just about anything else that would work would require a browser extension of some sort that would be browser-specific.

    From tloach

  • Echoing the IP address answer, maybe add in a limit of one vote per hour per IP address.

    It depends on how popular your poll is going to be in terms of number of people and where they're coming from.

    From Schnapple

  • First of all, make sure that your voting application is immune to cross-site request forgery.

    Next, mark in each vote the information you know about the user (IP, user agent string, time of vote, permanent cookie, optional email address, email confirmation link clicked, etc.) and then compute several vote totals. Use statistical analysis to figure out if a user is stuffing the ballot box. Show those people who appear to be stuffing the ballot box the total that they would expect if their actions are successful.

    It's probably worth it to use permanent and session cookies to block users from voting more than once. If, for example, you detect a single IP address voting more than once (and clearing it's cookies each time), let that IP address think that it's votes are counting. This may prevent the attacker from attempting to create a more sophisticated attack.

    Obviously, this doesn't stop attackers, but if you have diverted the attacks to those you can anticipate and you can show something close to one-user-one-vote results to anyone who is not an attacker, you're doing pretty well.

    ceejayoz : The sandboxing abusive users thing is a great idea.
    From Joseph Bui

  • First, you have cookies. If all you're doing is checking for their presence, that can be circumvented by someone deleting them and appearing like a new user.

    Here's a thought. All visitors get a cookie. Whether they vote or no. If they have a cookie, they've been here before, THEN they get to vote. After they vote, you change their cookie.

    If they don't have a cookie, this is their first visit. Make them go to some form and fill in a field or click a checkbox or something before you give them a cookie so they can vote.

    If there's always a cookie, simply deleting it won't let you post a new vote. If the cookie has IP address and timestamp stuff, they can't easily copy it, either.

    Be sure that your initial "I accept" form (or whatever you use) has button and field names generated randomly, so that someone can't simply save the HTML and use it in a loop that repeats a POST request. They have to get your silly form, parse it, and respond sensibly to get their cookie so they can vote.

    Also, include a timestamp as one of the field names in the form. If they can't respond in a few minutes report a "we're having difficulties". A person can do a "back" and try again. A piece of software will be slowed down until someone writes that exception handler.

    Second, you have Captchas. Annoying, but, they allow you to detect human beings most of the time. They can be circumvented, too, but how important is your poll, really?

    You don't have to captcha everyone. Use the IP address, the screen resolution, the time zone -- any of that HTTP header stuff that comes back with a request. Use one or two elements in addition to the cookie. Any changes in screen size or time zone or whatever, and you may be dealing with a robot and want to insert a captcha into the workflow.

    From S.Lott

  • There is no way to prevent ballot stuffing in a fully-online poll. There are ways to make it harder, though. Cookies will be cleared by most anyone smart enough to try ballot stuffing to begin with, but they may still stop a few people, so they're worth using. Also, requiring a valid email address and sending a confirmation link to it. Someone can still register hundreds of addresses on free email sites, though, and so in order to help combat that, you can set a random time delay of several hours before the confirmation email is sent. This may stop some people, as it makes it somewhat more difficult to keep track of all the fake email accounts they registered and have to log back into in order to complete the voting process.

    From $pageUsers[$post.author].name

  • Here's a starting point for browser finger printing.

    http://www.tgdaily.com/security-features/49802-browsers-leave-fingerprints-that-identify-users

    From Bellyboy
Posted by Mu Cat at 10:04 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)