[Cryptography] Gogo Inflight Internet is intentionally issuing fake SSL certificates
hbaker1 at pipeline.com
Mon Jan 5 21:57:01 EST 2015
Gogo Inflight Internet is intentionally issuing fake SSL certificates
By Steven Johns @stevenjohns · 23 hours ago
SSL/TLS is a protocol that exists to ensure that there is an avenue for secure communication over the Internet. Through the use of cryptography and certificate validation, SSL certificates make man-in-the-middle attacks (where a third party would be able monitor your internet traffic) difficult, so the transmission of things like credit card numbers and user account passwords becomes significantly safer. In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone's traffic.
For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.
hey @Gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU
Adrienne Porter Felt (@__apf__) January 2, 2015
This presents itself as an extremely unacceptable action by Gogo which serves in-flight internet to a number of different national and international airlines, including Aeromexico, American Airlines, Air Canada, Japan Airlines and Virgin Atlantic, among many others.
Earlier this year, it was revealed through the FCC that Gogo partnered with government officials to produce "capabilities to accommodate law enforcement interests" that go beyond those outlined under federal law. It mentioned how it worked closely with law enforcement and directly baked spyware into their service. If that wasn't bad enough, based on this revelation, Gogo is now intentionally attacking its users' browsing sessions to remove any line of defense that a user may have, and based on their history, it cannot be trusted that it is being done for any legitimate reason.
While Gogo happily waves how heavily it mines its customers' data and is willing to cooperate with governments and law enforcement groups, including undisclosed "third parties," this method of mining goes beyond what anyone would ever expect. Gogo is also offering in-flight texting and voicemail, and there is no doubt as to how Gogo will be handling the privacy and security elements of those as well.
If you have used Gogo in the past, it is worth considering that all of your communications, including those over SSL/TLS, have been compromised and that you should consider resetting your passwords--at least for Google and Google-related services. If you intend to use Gogo in the future, do so through the use of Tor or through a secure VPN.
Update: Gogo has issued this statement in response to the situation:
Gogo takes our customers privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we dont support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.
More information about the cryptography