Gogo—a provider of in-flight Wi-Fi service on commercial airlines—admitted publicly that it is using fake SSL certificates for a man-in-the-middle attack that enables it to block customer access to certain sites. The admission is cause for concern on a couple levels, and undermines the public trust in SSL certificates at all.
The issue was initially made public thanks to a Google engineer who had issues playing a Youtube video while using the Gogo in-flight Wi-Fi. She noticed that the SSL certificate being used was not the legitimate SSL certificate for Youtube, but was instead a rogue certificate issued to Gogo.
Gogo CTO Anand Chari issued a statement explaining, “Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”
Chari goes on to stress that no customer information is being intercepted or collected, and that the man-in-the-middle attack is used strictly to allow Gogo to prevent customers from consuming excessive bandwidth by visiting streaming video sites in flight.
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, chastised Gogo for undermining our ability to trust SSL certificates. "Unfortunately, this is not a new risk and is pervasive across the Internet. It is increasingly difficult for both end users and businesses to understand if secure communications can be trusted. It’s best if business providers like Gogo don’t complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications.”
Bocek added, “Not surprisingly, Intel expects the next major cybercriminal marketplace to be the sale of compromised digital certificates. Forged, compromised, and misused certificates and keys are a major threat that enterprises are only starting to grapple with. It’s clear, however, that bad guys know how to use them against us.”
I sympathize with the desire to provide a reasonable experience for customers, and the impact on bandwidth when a customer streams video during a flight. I don’t think that excuses this behavior, though.
I don’t fly nearly as often as some of my tech journalist peers, but I fly enough to know that Gogo in-flight Wi-Fi isn’t worth it unless you have a pressing deadline to meet, and a company expense account to cover the cost. It’s a lot of money for crappy bandwidth even in a best-case scenario. Shady actions like forging certificates to execute man-in-the-middle attacks just reinforce my reluctance to give Gogo any of my money.