Google engineer Adrienne Felt recently noticed that Gogo in-flight Wi-Fi was messing with the SSL certificates on secure Google web pages.
Her browser showed a problem with the HTTPs connection, and further investigation showed that the SSL certificate was self signed by Gogo’s own untrusted certificate authority.
This allows them to read all of the supposedly encrypted communications in the clear. That information could include personal, financial, corporate, or other confidential data. It also tends to train users to ignore security alerts, which leaves them vulnerable to any other attacker using the same kind of Man in the Middle attack.
In their response, Gogo EVP / CTO said:
“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”
I am not very reassured by this, particularly given their previous history of going above and beyond requirements to support law enforcement intercepts. Even if they are acting in good faith, this kind of action puts all users at risk. Any compromise of the proxy server would give full clear text access to the communications of everyone on the plane.
To protect yourself, make sure you use a VPN service (like Anonymizer) to encrypt your traffic out to an endpoint beyond Gogo’s reach.
Nokia did something similar a while back.
Even certificate authorities can’t always be trusted.
Thanks to the following articles:
Gogo Inflight Internet is intentionally issuing fake SSL certificates - Neowin
Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates | Techdirt
Gizmodo - Gogo Wi-Fi Is Using Man-in-the-Middle Malware Tactics on Its Own Users
GoGo in-flight WiFi creates man-in-the-middle diddle • The Register
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.