BBC News - Ceop website form 'could have put children at risk'
Ian Batten
igb at batten.eu.org
Sun Apr 10 15:14:04 BST 2011
>
> Given that there's no money to be made intercepting reports of child
> abuse, I wonder what the practical risk is from third parties. If
> there's an abuser in the same household with access to (and checking
> up on) the child's PC, then being able to see the browser history
> will be enough to ring their alarm bells, without actually having to
> go to the bother of intercepting all the traffic.
> --
Well, a sophisticated abuser could play with the DNS, routing or a
trap proxy within their household to redirect traffic to a fake
website which notified them of the report and then discarded. But it
seems a bit far fetched, and the only advantage of http over https to
such an adversary is that the attack wouldn't throw a certificate
warning; given the poor standards of certificate hygiene both on
servers and amongst users (especially children), the same attack on
https would be almost certain to work anyway.
ian
More information about the ukcrypto
mailing list