Transparency is essential when monitoring your users' activities

Posted by    on   Sep 20, 2017

The inspection of HTTPS traffic is a sensitive issue among security experts. On the one hand, there are those who argue that this breaks the important end-to-end principle of secure connections, while others argue that it is essential if one wants to block malicious network traffic, which is increasingly using HTTPS.

I tend to side with the latter group, but with great power comes great responsibility, and there are a few criteria that need to be satisfied by those doing the inspection.

Firstly, users should have alternative ways of accessing the content without being monitored. This is satisfied in a work environment, where users can switch to mobile devices or use their home Internet connection, but not when monitoring happens at the level of a country or region.

Secondly, the interception should be such that it does not degrade the security of the connection. It is possible to achieve this, but many security products have failed here. At VB2017 next month, Cloudflare's Nick Sullivan will give a Small Talk on this very subject, aiming to help security products to do things better and thus relieve the tensions in the encryption vs inspection debate.

And thirdly, the interception should be transparent to the user. This is also what the European Court of Human Rights said recently when it ruled that companies that monitor their employees' work accounts should notify them in advance.

I would thus recommend organizations that monitor network traffic and other user activities to be upfront about it, and to discuss their monitoring activity as part of the regular security training they provide to their employees. As for these employees, a nice online tool developed by the same Nick Sullivan will tell you whether your traffic is being monitored. (The tool is currently in beta and appears to give false positives or false negatives for some users.)


A related issue occurs with consumer spyware: mobile apps used by people to spy the activities on (ex-)partners – the subject of a VB2017 presentation by Joseph Cox of The Daily Beast. Such apps are despicable, yet functionally barely any different from apps used by parents to monitor their children's mobile phone usage.

There is one big difference though: transparency. Legitimate child monitoring apps will make it clear to the phone's user that their activities are being monitored. If apps fail to do so, even if they make bold claims about wanting to protect children, they should not be used – and ideally should be blocked.

Whether it concerns children or employees, treating users as potential adversaries isn't helpful and may even have an adverse effect – something that is argued by Forcepoint's Kirstin Leary and Richard Ford in their VB2017 paper on the inside threat. But it would be naive to assume that users never do things they shouldn't, whether intentionally or by mistake. The monitoring of activities by a security product can mitigate the risks that come with this. But do make sure to do it right.

Registration for VB2017 (4-6 Oct in Madrid, Spain) is still open. Places are filling up fast – book now to avoid disappointment!




Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.