Shower of amateurs
They''re such experts that they've been chasing around Europe lobbying for Internet blocking while, in reality, they are such amateurs that they cannot run a basic website.
A member of the public was shocked to find that links to a web page used to report incidents of suspected child abuse to the Child Exploitation and Online Protection Centre were insecure. Concerned parties visiting a confidential report abuse webpage on CEOP's webpage from either Facebook or Google were directed to an …
then your question does not even have any bearing on the matter does it? You might as well say 'yes but do you have a freezer full of frozen peas? No? Thought not'.
If you WERE questioning the validity (which you obviously were) then you have to provide some contrary evidence, otherwise you are just arbitrarily stating that 'these stats are wrong'.
Nice try though.
The site is a plate of spaghetti. If you do manage to find the report form from among the pretty buttons, you will find that it is encrypted. But you got there directly from an unencrypted page. Click on the pretty button to exit the page and you are taken back to the previous page except it is now encrypted.
Doh!
Would you really want to download some of their software?
Confused
"A member of the public was shocked to find that links to a web page used to report incidents of suspected child abuse to the Child Exploitation and Online Protection Centre were insecure."
but the article states if you actually wanted to reported something you did go to a secure page as below....
"Concerned parties visiting a confidential report abuse webpage on CEOP's webpage from either Facebook or Google were directed to an unencrypted page, before being redirected onto a page with a secure SSL link – if users actually decided to file a report."
so it was only the click thru that was unencrypted.... and as anyone will know its very hard to stop someone putting a link to your site on theirs (even worse from a search engine).
I can't think of an option to fix this, whatever the website returns for the click thru, a 404, redirect etc will still result in the click tru being sent in clear text in the first place.
But what does it provide to someone listening, an ip address and some search terms.... ip address will usually be dynamic or a gateway and the terms will probably be obvious unless you are saying google/facebook are being stupid enough to pass personal details which I'd be pretty sure they are not.
The worst I could see is someone listening in for ip's and then somehow trying to get in touch with the person who clicked thru and pass themselves off as CEOP.
If there is an issue its that those linking to the site used a http link rather than https and didn't ensure that no arguments were passed.
So I fail to see the story really, and its better someone reports a problem than gets a 404 error or gets put off by a pop up about it being a link to a secure web site or some such message.
The story is that it was not originally possible for people to submit reports using a secure link. So, since the reporting page was up, all reports that have been submitted which includes personal details of the victim, name, address, dob, sex, school, mobbile tel etc, details of the incident, when, where , how wtc, personal details of the alleged attacker, name address relationship to the victim etc were sent in the clear i.e. not encrypted.
The vulnerability is EXACTLY the reason why we conduct purchases over the Internet through https (Secure) and not http (Insecure). There is a presumption and an expectation that we need to protect our credit card information because it WILL be captured. The reports sent through the CEOP website were sent through http (insecure) and not (https) which means that there is a liklihood that those very personal reports could have been captured.
For eample, the impact of the report being captured could be vigilantism upon the alleged attacker leading to physical harm. That is one of the worst case scenarios for the Information Commissioner's Office (ICO).
TelB
Surely the biggest risk for a site like this is that it will be on the browser history list rather than that someone could conceivably do a man in the middle attack?
Think about it. Who is going to want to know about the data being sent to a child protection agency? It has no financial value, but the paedophiles who might get reported to them will want to know so they can punish the child etc for shopping them in. There is a good chance that they will have access to the end point and can either use the browser history or some sort of monitoring software to see what they have been up to. They probably won't infiltrate an ISP or set up a dodgy wireless access point so they can harvest data going over the line.