Gogo Inflight Internet serves up ‘man-in-the-middle’ with fake SSL

When a third party inserts itself between a user and a destination website and uses fake SSL certificates in an attempt to cover it up, it’s usually known as a “man-in-the-middle” attack, and offers an opportunity for outsiders to eavesdrop on conversations and steal credentials.

Four days ago, Google Chrome security engineer Adrienne Porter Felt was on an flight where she was using Gogo’s in-flight Internet — and discovered that Gogo was issuing fake Google certificates.

According to Gogo, there was nothing malicious about this, just an attempt to conserve bandwidth by blocking online video streaming.

“One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it,” said Gogo CTO Anand Chari in a statement yesterday.

The technique is only used for some streaming site, and does not affect general Internet traffic, he added.

“We can assure customers that no user information is being collected when any of these techniques are being used,” he said. “They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”

However, security experts say that there are many other ways of blocking online video without adopting a technique normally used by cybercriminals.

“There are about a dozen ways of doing this that are more effective than setting up a man-in-the-middle,” said Jean Taggart, senior security researcher at San Jose, CA-based Malwarebytes Corp.

Taggart recommended that business travelers use either their company’s VPN or a commercial VPN service to ensure that communications are secure through untrusted networks.

For some regulated industries, such as health care, not using a VPN could be a violation of the law, he added.

However, for the average user, a VPN isn’t always an option, he added.

“In the case of Gogo, most people who are affected are everyday users who don’t have a fully-staffed IT team to set up their machine,” he added.

And those users might be making a deliberate decision to use SSL because they care about their security, said Martin Walter, Director of Product Management at Sunnyvale, Cal.-based security firm RedSeal, Inc. For example, they might want to protect their user credentials.

“Breaking a security protocol is definitely the wrong way to go,” he said.

For example, Gogo could simply redirect users away from streaming sites to a page that explains that there is a limit to the available bandwidth, or redirect users based on how much bandwidth they are using.

“Communicate with the user,” he urged.

This is particularly relevant for Gogo, he added, because the company has a history of privacy violations.

A couple of years ago, Gogo told the FCC that they willingly went beyond what the law required to implement “a set of additional capabilities to accommodate law enforcement interests.”

“Because of the issues in the past, they should really be worried about reestablishing trust with their customers,” Walter said. “And performing a man-in-the-middle is the wrong way to go about that.”

According to Francis Turner, VP of Research at Carlsbad, CA-based ThreatSTOP Inc., Gogo’s approach also has usability consequences.

A user who is, say, visiting one of the sites that Gogo set up the proxy for would set of browser alarms because there is no way to distinguish between Gogo’s fake certificate and a malicious one.

Chrome, for example, detects that the certificate is invalid and makes it hard to continue to the site, said Turner.

Matt Nelson, president and CEO of Alabama-based AvaLan Wireless Systems, Inc., a wireless hardware manufacturing firm, said that new laws are needed to make this kind of activity illegal.

“This is equivalent to wiretapping or recording of phone conversations without the person’s knowledge,” he said. “While I appreciate the airlines wanting to keep things safe, there should be limits to how much personal information is needed in order to hop onto a plane and use their WiFi.”