BBC News - Ceop website form 'could have put children at risk'

Ian Batten igb at
Sun Apr 10 15:14:04 BST 2011

> Given that there's no money to be made intercepting reports of child  
> abuse, I wonder what the practical risk is from third parties. If  
> there's an abuser in the same household with access to (and checking  
> up on) the child's PC, then being able to see the browser history  
> will be enough to ring their alarm bells, without actually having to  
> go to the bother of intercepting all the traffic.
> -- 

Well, a sophisticated abuser could play with the DNS, routing or a  
trap proxy within their household to redirect traffic to a fake  
website which notified them of the report and then discarded.  But it  
seems a bit far fetched, and the only advantage of http over https to  
such an adversary is that the attack wouldn't throw a certificate  
warning; given the poor standards of certificate hygiene both on  
servers and amongst users (especially children), the same attack on  
https would be almost certain to work anyway.


More information about the ukcrypto mailing list