Gogo Inflight Internet, the only way to access the Internet on nine major airlines such as Delta, American, U.S. Airways and Virgin Atlantic, apparently doesn’t think you need secure browsing.
Gogo, it turns out, has been intentionally issuing fake SSL certificates to its Internet users. That’s a pretty big security no-no; such certificates are basically designed to ensure that you’re connecting to a genuine site and not an imposter.
By forging these certificates, Gogo is itself acting as an imposter of sorts. When done with malicious intent, such an act is known as a man-in-the-middle attack—one in which an untrusted third party inserts itself in the middle of your communications to eavesdrop on conversations, copy messages or even interfere with traffic by blocking it or replacing real transmissions with fake ones.
The compromise was discovered by Adrienne Porter Felt, an engineer on the Google Chrome security team, when she discovered she was being served SSL certificates from Gogo while connecting to Google-owned YouTube during a flight.
hey @Gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU
— Adriana Porter Felt (@__apf__) January 2, 2015
Porter Felt tweeted that she believes Gogo is performing this user unfriendly behavior to block streaming video, which Gogo explicitly doesn’t support—although, as Porter Felt noted, “there are better ways to do it.”
She isn’t the only one who thinks so. As Chester Wisniewski, a security expert at Sophos, told me via email:
Using SSL certificates for traffic shaping is at minimum unconventional and seemingly a pretty terrible idea. The ability to man in the middle someone’s traffic is a serious thing. If you don’t intend on seeing private data, don’t intercept it. I suspect there is more going on here then they are saying.
Gogo denied any ulterior motives in a statement that quoted CTO Anand Chari:
Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience… We can assure customers that no user information is being collected when any of these techniques are being used.
But it’s also worth considering that the FCC revealed Gogo has partnered with the government to produce “capabilities to accommodate law enforcement interests” that go above and beyond what is required by law. Gogo’s privacy policy also notes that it collects several kinds of data, like cookies and device identifiers, when customers use its service.
See also: Building A Raspberry Pi VPN Part One: How And Why To Build A Server
Christopher Soghoian, the ACLU’s principal technologist, says Gogo’s ends don’t rationalize its means. “Gogo’s desire to block streaming video sites does not justify impersonating Google to its users,” he said. “This incident serves as yet another reminder of the fact that the certificate authority system, which is an often-overlooked lynchpin of the secure web, is fragile and easy to abuse.”
Photo by Jake Setlak