Transparency is essential when monitoring your users' activities

Posted by    on   Sep 20, 2017

The inspection of HTTPS traffic is a sensitive issue among security experts. On the one hand, there are those who argue that this breaks the important end-to-end principle of secure connections, while others argue that it is essential if one wants to block malicious network traffic, which is increasingly using HTTPS.

I tend to side with the latter group, but with great power comes great responsibility, and there are a few criteria that need to be satisfied by those doing the inspection.

Firstly, users should have alternative ways of accessing the content without being monitored. This is satisfied in a work environment, where users can switch to mobile devices or use their home Internet connection, but not when monitoring happens at the level of a country or region.

Secondly, the interception should be such that it does not degrade the security of the connection. It is possible to achieve this, but many security products have failed here. At VB2017 next month, Cloudflare's Nick Sullivan will give a Small Talk on this very subject, aiming to help security products to do things better and thus relieve the tensions in the encryption vs inspection debate.

And thirdly, the interception should be transparent to the user. This is also what the European Court of Human Rights said recently when it ruled that companies that monitor their employees' work accounts should notify them in advance.

I would thus recommend organizations that monitor network traffic and other user activities to be upfront about it, and to discuss their monitoring activity as part of the regular security training they provide to their employees. As for these employees, a nice online tool developed by the same Nick Sullivan will tell you whether your traffic is being monitored. (The tool is currently in beta and appears to give false positives or false negatives for some users.)


A related issue occurs with consumer spyware: mobile apps used by people to spy the activities on (ex-)partners – the subject of a VB2017 presentation by Joseph Cox of The Daily Beast. Such apps are despicable, yet functionally barely any different from apps used by parents to monitor their children's mobile phone usage.

There is one big difference though: transparency. Legitimate child monitoring apps will make it clear to the phone's user that their activities are being monitored. If apps fail to do so, even if they make bold claims about wanting to protect children, they should not be used – and ideally should be blocked.

Whether it concerns children or employees, treating users as potential adversaries isn't helpful and may even have an adverse effect – something that is argued by Forcepoint's Kirstin Leary and Richard Ford in their VB2017 paper on the inside threat. But it would be naive to assume that users never do things they shouldn't, whether intentionally or by mistake. The monitoring of activities by a security product can mitigate the risks that come with this. But do make sure to do it right.

Registration for VB2017 (4-6 Oct in Madrid, Spain) is still open. Places are filling up fast – book now to avoid disappointment!




Latest posts:

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…

VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We preview the VB2017 paper by Kaspersky Lab researchers Juan Andrés Guerrero-Saade and Costin Raiu on fourth-party collection and its implications for attack attribution.