BBC News - Ceop website form 'could have put children at risk'

[Ian Batten]

>
> Given that there's no money to be made intercepting reports of child  
> abuse, I wonder what the practical risk is from third parties. If  
> there's an abuser in the same household with access to (and checking  
> up on) the child's PC, then being able to see the browser history  
> will be enough to ring their alarm bells, without actually having to  
> go to the bother of intercepting all the traffic.
> -- 

Well, a sophisticated abuser could play with the DNS, routing or a  
trap proxy within their household to redirect traffic to a fake  
website which notified them of the report and then discarded.  But it  
seems a bit far fetched, and the only advantage of http over https to  
such an adversary is that the attack wouldn't throw a certificate  
warning; given the poor standards of certificate hygiene both on  
servers and amongst users (especially children), the same attack on  
https would be almost certain to work anyway.

ian