Home Gogo Inflight Internet May Be Snooping On Its Users

Gogo Inflight Internet May Be Snooping On Its Users

Gogo Inflight Internet, the only way to access the Internet on nine major airlines such as Delta, American, U.S. Airways and Virgin Atlantic, apparently doesn’t think you need secure browsing.

Gogo, it turns out, has been intentionally issuing fake SSL certificates to its Internet users. That’s a pretty big security no-no; such certificates are basically designed to ensure that you’re connecting to a genuine site and not an imposter.

By forging these certificates, Gogo is itself acting as an imposter of sorts. When done with malicious intent, such an act is known as a man-in-the-middle attack—one in which an untrusted third party inserts itself in the middle of your communications to eavesdrop on conversations, copy messages or even interfere with traffic by blocking it or replacing real transmissions with fake ones.

See also: Meet The Internet’s Nasty New “Poodle” Attack

 The compromise was discovered by Adrienne Porter Felt, an engineer on the Google Chrome security team, when she discovered she was being served SSL certificates from Gogo while connecting to Google-owned YouTube during a flight.

Porter Felt tweeted that she believes Gogo is performing this user unfriendly behavior to block streaming video, which Gogo explicitly doesn’t support—although, as Porter Felt noted, “there are better ways to do it.”

She isn’t the only one who thinks so. As Chester Wisniewski, a security expert at Sophos, told me via email: 

Using SSL certificates for traffic shaping is at minimum unconventional and seemingly a pretty terrible idea. The ability to man in the middle someone’s traffic is a serious thing. If you don’t intend on seeing private data, don’t intercept it. I suspect there is more going on here then they are saying.

Gogo denied any ulterior motives in a statement that quoted CTO Anand Chari:

Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience… We can assure customers that no user information is being collected when any of these techniques are being used.

But it’s also worth considering that the FCC revealed Gogo has partnered with the government to produce “capabilities to accommodate law enforcement interests” that go above and beyond what is required by law. Gogo’s privacy policy also notes that it collects several kinds of data, like cookies and device identifiers, when customers use its service.

See also: Building A Raspberry Pi VPN Part One: How And Why To Build A Server

Christopher Soghoian, the ACLU’s principal technologist, says Gogo’s ends don’t rationalize its means. “Gogo’s desire to block streaming video sites does not justify impersonating Google to its users,” he said. “This incident serves as yet another reminder of the fact that the certificate authority system, which is an often-overlooked lynchpin of the secure web, is fragile and easy to abuse.”

Photo by Jake Setlak

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.