Re only affected surfers visiting the site from either Facebook
Considering the fuss CEOP made about panic buttons on Facebook why do they say "only" and describe those reporting possible perverts as "surfers"?
The person who discovered that the child abuse reporting mechanism on the website of the Child Exploitation and Online Protection Centre was insecure has reacted with anger to suggestions from the agency that the flaw had only affected surfers visiting the site from either Facebook or Google. He says that contrary to CEOP's …
Considering how much of a song and dance CEOP made about getting the fb panic button added, im amazed not to have heard them release any figures about how many children have been "saved" by its very presence...
Call me cynical, but could that be because the number is so close to zero that it would be embarrasing for them to admit that it WAS the waste of time everyone told them it would be? Hmmm...
6,291 intelligence reports have been received by the CEOP Centre – a culmination of reports through the public
‘ClickCEOP’ reporting mechanism, from the online and mobile industries and law enforcement partners in the UK
and overseas2.
Page 11 http://www.ceop.police.uk/Documents/CEOP_AnnualReview_09-10.pdf
I noticed this on one of their advertised jobs: the two hyperlinks in the listing are to CEOP's own Outlook Web Access site, rather than to www.ceop.police.uk or the mailto: link intended. Copy/paste job gone wrong? (http://www.ceop.police.uk/Recruitment/Vacancies/Head-of-Behavioural-Analysis-SG2-/ )
Clicking on the OWA link shows that there is no current SSL cert installed on that site either. Now, if it were for their GSI email then you could argue that its on a secure network, but this is for their non-GSI mail, accessible outside of the secure Government network and therefore theoretically at risk of interception.
Technical Details
owa.ceop.gov.uk uses an invalid security certificate.
The certificate expired on 25/09/2010 00:59. The current time is 03/05/2011 12:47.
(Error code: sec_error_expired_certificate)
Part of the security offered by SSL is that not only the link is encrypted, but you know that the site you're sending your confidential information to is who it says it is.
CEOP's internal users become used to ignoring security warnings - and lo, they're trying to pickup email in a hotel lobby at a conference for Paedofinders General and someone's hijacked the wifi and spoofing CEOP's webmail. Perhaps not very likely, but possible.
Anyway, we have organisation that can't be bothered to check the links in a job posting on their public website and can't be bothered to renew their SSL certs. An organisation that doesn't secure their report-a-paedo web pages. No wonder industry players were so loathe to take instruction from them on how to build web services.
the lack of https use is not great, but it is to their credit that they at least fixed it quickly once they were told about it. They should have run SSL from the start, but realistically I do assume the "man in the middle" is much more likely to be looking for credit card numbers and bank account info than looking for use of CEOP web site.
On the other hand, saying it was only unencrypted when coming from Facebook or Google is a flat-out lie, and that is pretty inexcusable.