Transparency is essential when monitoring your users' activities

Posted by    on   Sep 20, 2017

The inspection of HTTPS traffic is a sensitive issue among security experts. On the one hand, there are those who argue that this breaks the important end-to-end principle of secure connections, while others argue that it is essential if one wants to block malicious network traffic, which is increasingly using HTTPS.

I tend to side with the latter group, but with great power comes great responsibility, and there are a few criteria that need to be satisfied by those doing the inspection.

Firstly, users should have alternative ways of accessing the content without being monitored. This is satisfied in a work environment, where users can switch to mobile devices or use their home Internet connection, but not when monitoring happens at the level of a country or region.

Secondly, the interception should be such that it does not degrade the security of the connection. It is possible to achieve this, but many security products have failed here. At VB2017 next month, Cloudflare's Nick Sullivan will give a Small Talk on this very subject, aiming to help security products to do things better and thus relieve the tensions in the encryption vs inspection debate.

And thirdly, the interception should be transparent to the user. This is also what the European Court of Human Rights said recently when it ruled that companies that monitor their employees' work accounts should notify them in advance.

I would thus recommend organizations that monitor network traffic and other user activities to be upfront about it, and to discuss their monitoring activity as part of the regular security training they provide to their employees. As for these employees, a nice online tool developed by the same Nick Sullivan will tell you whether your traffic is being monitored. (The tool is currently in beta and appears to give false positives or false negatives for some users.)


A related issue occurs with consumer spyware: mobile apps used by people to spy the activities on (ex-)partners – the subject of a VB2017 presentation by Joseph Cox of The Daily Beast. Such apps are despicable, yet functionally barely any different from apps used by parents to monitor their children's mobile phone usage.

There is one big difference though: transparency. Legitimate child monitoring apps will make it clear to the phone's user that their activities are being monitored. If apps fail to do so, even if they make bold claims about wanting to protect children, they should not be used – and ideally should be blocked.

Whether it concerns children or employees, treating users as potential adversaries isn't helpful and may even have an adverse effect – something that is argued by Forcepoint's Kirstin Leary and Richard Ford in their VB2017 paper on the inside threat. But it would be naive to assume that users never do things they shouldn't, whether intentionally or by mistake. The monitoring of activities by a security product can mitigate the risks that come with this. But do make sure to do it right.

Registration for VB2017 (4-6 Oct in Madrid, Spain) is still open. Places are filling up fast – book now to avoid disappointment!




Latest posts:

We are more ready for IPv6 email than we may think

Though IPv6 is gradually replacing IPv4 on the Internet's network layer, email is lagging behind, the difficulty in blocking spam sent over IPv6 cited as a reason not to move. But would we really have such a hard time blocking spam sent over IPv6?

Subtle change could see a reduction in installation of malicious Chrome extensions

Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus making it harder for malware authors to trick users into unwittingly installing malicious extensions.

Paper: EternalBlue: a prominent threat actor of 2017–2018

We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail.

'North Korea' a hot subject among VB2018 talks

Several VB2018 papers deal explicitly or implicitly with threats that have been attributed to North Korean actors.

Expired domain led to SpamCannibal's blacklist eating the whole world

The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it effectively listing every single IP address.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.