Transparency is essential when monitoring your users' activities

Posted by    on   Sep 20, 2017

The inspection of HTTPS traffic is a sensitive issue among security experts. On the one hand, there are those who argue that this breaks the important end-to-end principle of secure connections, while others argue that it is essential if one wants to block malicious network traffic, which is increasingly using HTTPS.

I tend to side with the latter group, but with great power comes great responsibility, and there are a few criteria that need to be satisfied by those doing the inspection.

Firstly, users should have alternative ways of accessing the content without being monitored. This is satisfied in a work environment, where users can switch to mobile devices or use their home Internet connection, but not when monitoring happens at the level of a country or region.

Secondly, the interception should be such that it does not degrade the security of the connection. It is possible to achieve this, but many security products have failed here. At VB2017 next month, Cloudflare's Nick Sullivan will give a Small Talk on this very subject, aiming to help security products to do things better and thus relieve the tensions in the encryption vs inspection debate.

And thirdly, the interception should be transparent to the user. This is also what the European Court of Human Rights said recently when it ruled that companies that monitor their employees' work accounts should notify them in advance.

I would thus recommend organizations that monitor network traffic and other user activities to be upfront about it, and to discuss their monitoring activity as part of the regular security training they provide to their employees. As for these employees, a nice online tool developed by the same Nick Sullivan will tell you whether your traffic is being monitored. (The tool is currently in beta and appears to give false positives or false negatives for some users.)


A related issue occurs with consumer spyware: mobile apps used by people to spy the activities on (ex-)partners – the subject of a VB2017 presentation by Joseph Cox of The Daily Beast. Such apps are despicable, yet functionally barely any different from apps used by parents to monitor their children's mobile phone usage.

There is one big difference though: transparency. Legitimate child monitoring apps will make it clear to the phone's user that their activities are being monitored. If apps fail to do so, even if they make bold claims about wanting to protect children, they should not be used – and ideally should be blocked.

Whether it concerns children or employees, treating users as potential adversaries isn't helpful and may even have an adverse effect – something that is argued by Forcepoint's Kirstin Leary and Richard Ford in their VB2017 paper on the inside threat. But it would be naive to assume that users never do things they shouldn't, whether intentionally or by mistake. The monitoring of activities by a security product can mitigate the risks that come with this. But do make sure to do it right.

Registration for VB2017 (4-6 Oct in Madrid, Spain) is still open. Places are filling up fast – book now to avoid disappointment!




Latest posts:

VB2017 paper: Nine circles of Cerber

Cerber is one of the major names in the world of ransomware, and last year, Check Point released a decryption service for the malware. Today, we publish a VB2017 paper by Check Point's Stanislav Skuratovich describing how the Cerber decryption tool…

Attack on Fox-IT shows how a DNS hijack can break multiple layers of security

Dutch security firm Fox-IT deserves praise for being open about an attack on its client network. There are some important lessons to be learned about DNS security from its post-mortem.

Throwback Thursday: BGP - from route hijacking to RPKI: how vulnerable is the Internet?

For this week's Throwback Thursday, we look back at the video of a talk Level 3's Mike Benjamin gave at VB2016 in Denver, on BGP and BGP hijacks.

Security Planner gives security advice based on your threat model

Citizen Lab's Security Planner helps you improve your online safety, based on the specific threats you are facing.

VB2017 video: Spora: the saga continues a.k.a. how to ruin your research in a week

Today, we publish the video of the VB2017 presentation by Avast researcher Jakub Kroustek and his former colleague Előd Kironský, now at ESET, who told the story of Spora, one of of the most prominent ransomware families of 2017.