Social engineering is the term used to describe attacks that involve fooling people into compromising their security. According to election officials, one of the issues that they grapple with is the inability of many people to follow simple directions. For example, it's surprising to learn that, when instructed to circle a candidate's name, people will often underline it. While computers would seem to offer the opportunity to provide an interface that's tightly controlled and thus less subject to error, this is counter to the typical experience most users have with computers. For noncomputer scientists, computers are often intimidating and unfamiliar. User interfaces are often poorly constructed and create confusion rather than simplifying processes.
For the system to be secure, there must be some way for voters to know that they're communicating with the election server. The infrastructure exists right now for computer security specialistswho are always suspicious that they could be communicating with an imposterto verify that their browser is communicating with a valid election server. The SSL protocol and server-side certificates can be used for this. This process has its own risks and pitfalls. Even if this system was flawless, however, it's unreasonable to assume that average Internet users who want to vote on their computers can be expected to understand the concept of a server certificate, verify the authenticity of the certificate, and check the active "ciphersuites" to ensure that strong encryption is used. In fact, most users probably wouldn't be able to distinguish between a page from an SSL connection to the legitimate server and a nonSSL page from a malicious server that looked like the real page.
There are several ways that an attacker could spoof the legitimate voting site. One way would be to send an e-mail message to a user, telling the user to click a link, which would then bring up the fake voting site. The adversary could then collect the user's credentials and, in a sense, steal the vote. An attacker could also set up a connection to the legitimate server and feed the user a fake web page; acting as a "man in the middle," the attacker would transfer information between the user and the web server, with all of the traffic under the attacker's control. This is probably enough to change a user's vote, regardless of how the application is implemented.
A more serious attack is possible by targeting the Internet's Domain Name Service (DNS). The DNS is used to maintain a mapping from IP addresses (such as 126.96.36.199), which computers use to reference each other, to domain names (such as http://www.research.att.com), which people use to reference computers. The DNS is known to be vulnerable to attacks, such as cache poisoning, which change the information available to hosts about the IP addresses of computers. The reason that this is serious is that a DNS cache poisoning attack, along with many other known attacks against DNS, could be used to direct a user to the wrong web server when the user enters the name of the election server into the browser. Thus, a user could follow the instructions for voting, receiving a page that looks exactly as it should, but actually is entirely controlled by the adversary. Detailed instructions about checking certificate validity are not likely to be understood or followed by a substantial number of users.
Another problem along these lines is that any computer under the control of an adversary can be made to simulate a valid connection to an election server, without actually connecting to anything. So, for example, a malicious librarian or cyber café operator could set up public computers that appear to accept votes, but actually do nothing with the votes. This could even work if the computers were not connected to the Internet, since no messages need to be sent or received to fool a user into believing that his or her vote was cast. Setting up such machines in districts known to vote a certain way could influence the outcome of an election.