back to article Child protection website insecurity fixed

A member of the public was shocked to find that links to a web page used to report incidents of suspected child abuse to the Child Exploitation and Online Protection Centre were insecure. Concerned parties visiting a confidential report abuse webpage on CEOP's webpage from either Facebook or Google were directed to an …

COMMENTS

This topic is closed for new posts.
  1. Not Fred31
    Coffee/keyboard

    Shower of amateurs

    They''re such experts that they've been chasing around Europe lobbying for Internet blocking while, in reality, they are such amateurs that they cannot run a basic website.

    1. Anonymous Coward
      Flame

      Maybe but ....

      Their record in detecting, preventing and prosecuting child abuse is actually rather good, which is what they are there for, not for running websites.

      Until of course, they shut down in 2013 thanks to the ConDem twats.

      1. Richard Wharram

        wtf

        Any evidence to support this assertion other than Jim Gamble's press releases ?

        1. Anonymous Coward
          FAIL

          Here you go

          These are their own stats:

          http://www.ceop.police.uk/Media-Centre/Statistics-and-facts/

          If you choose not to believe them, then it is you who must give evidence to dispute them.

          1. Richard Wharram

            Well actually

            I did say "other than".

            You don't work for/with them do you ?

            1. Anonymous Coward
              Anonymous Coward

              Nope

              Don't work for them. Or any government department or contractor or anything related.

              Where are your stats conflicting with these then? don't have any? Then I think, therefore, with no evidence, you have no argument. QED.

              1. Richard Wharram
                Stop

                a title

                I wasn't aware I needed evidence to ask a question. Since you haven't actually answered my question then I give up. You win at internets etc...

                1. Anonymous Coward
                  Anonymous Coward

                  If you weren't questioning the validity of the statistics

                  then your question does not even have any bearing on the matter does it? You might as well say 'yes but do you have a freezer full of frozen peas? No? Thought not'.

                  If you WERE questioning the validity (which you obviously were) then you have to provide some contrary evidence, otherwise you are just arbitrarily stating that 'these stats are wrong'.

                  Nice try though.

      2. Anonymous Coward
        Anonymous Coward

        The writing was on the wall

        Before the general election.

  2. Anonymous Coward
    Megaphone

    it is all too common

    Our personnel muppets^H^H^H^H^H^H^H deparment want people to contact them

    via a website without SSL,

    AND have a visible directory with personal details behind that

    (name, address, phone, grade...)

  3. Ian McLaughlin
    Stop

    SSL?

    Is SSL secure or not? I can't keep up!

  4. Anonymous Coward
    FAIL

    Still not fixed

    The site is a plate of spaghetti. If you do manage to find the report form from among the pretty buttons, you will find that it is encrypted. But you got there directly from an unencrypted page. Click on the pretty button to exit the page and you are taken back to the previous page except it is now encrypted.

    Doh!

    Would you really want to download some of their software?

  5. Anonymous Coward
    WTF?

    Non Story?

    Confused

    "A member of the public was shocked to find that links to a web page used to report incidents of suspected child abuse to the Child Exploitation and Online Protection Centre were insecure."

    but the article states if you actually wanted to reported something you did go to a secure page as below....

    "Concerned parties visiting a confidential report abuse webpage on CEOP's webpage from either Facebook or Google were directed to an unencrypted page, before being redirected onto a page with a secure SSL link – if users actually decided to file a report."

    so it was only the click thru that was unencrypted.... and as anyone will know its very hard to stop someone putting a link to your site on theirs (even worse from a search engine).

    I can't think of an option to fix this, whatever the website returns for the click thru, a 404, redirect etc will still result in the click tru being sent in clear text in the first place.

    But what does it provide to someone listening, an ip address and some search terms.... ip address will usually be dynamic or a gateway and the terms will probably be obvious unless you are saying google/facebook are being stupid enough to pass personal details which I'd be pretty sure they are not.

    The worst I could see is someone listening in for ip's and then somehow trying to get in touch with the person who clicked thru and pass themselves off as CEOP.

    If there is an issue its that those linking to the site used a http link rather than https and didn't ensure that no arguments were passed.

    So I fail to see the story really, and its better someone reports a problem than gets a 404 error or gets put off by a pop up about it being a link to a secure web site or some such message.

    1. TelBradley

      Clarification

      The story is that it was not originally possible for people to submit reports using a secure link. So, since the reporting page was up, all reports that have been submitted which includes personal details of the victim, name, address, dob, sex, school, mobbile tel etc, details of the incident, when, where , how wtc, personal details of the alleged attacker, name address relationship to the victim etc were sent in the clear i.e. not encrypted.

      The vulnerability is EXACTLY the reason why we conduct purchases over the Internet through https (Secure) and not http (Insecure). There is a presumption and an expectation that we need to protect our credit card information because it WILL be captured. The reports sent through the CEOP website were sent through http (insecure) and not (https) which means that there is a liklihood that those very personal reports could have been captured.

      For eample, the impact of the report being captured could be vigilantism upon the alleged attacker leading to physical harm. That is one of the worst case scenarios for the Information Commissioner's Office (ICO).

      TelB

      1. jonathanb Silver badge

        Re: Clarification

        Surely the biggest risk for a site like this is that it will be on the browser history list rather than that someone could conceivably do a man in the middle attack?

        Think about it. Who is going to want to know about the data being sent to a child protection agency? It has no financial value, but the paedophiles who might get reported to them will want to know so they can punish the child etc for shopping them in. There is a good chance that they will have access to the end point and can either use the browser history or some sort of monitoring software to see what they have been up to. They probably won't infiltrate an ISP or set up a dodgy wireless access point so they can harvest data going over the line.

This topic is closed for new posts.

Other stories you might like