On January 2nd Adrienne Porter Felt, a software engineer for Google Chrome’s security team, noticed that the “*.google.com” SSL certificate she received for YouTube.com during her Gogo Inflight Internet session was not actually issued by Google (which owns YouTube), but by Gogo. Felt noticed the fraudulent certificate when she was attempting to debug a seemingly broken webpage which featured YouTube in an iFrame (a tool used to embed files). Gogo asserts that it employs techniques to block or limit streaming sites (such as YouTube), however, there are other techniques available to limit or block traffic that do not enable Gogo access to information that could be harmful to users if used improperly (such as Google account usernames and passwords).
Although Gogo states in its “Tems of Use” that Gogo “does not provide an encrypted communication channel” web browsing after initial connection through Gogo is established, it goes on to state that “SSL-encrypted websites or pages, typically indicated by ‘https’ in the address field and a ‘lock’ icon, can also generally be securely accessed through the Service.” It’s incredibly suspect that Gogo provides self-issued SSL certificates for websites that it does not own or manage, as there is no immediately apparent or defensible justification for misleading users in this manner.
Gogo has not yet posted a press release on the issue, however the following statement by Anand Chari, Executive Vice President and Chief Technology Officer of Gogo, was posted on Gogo’s blog:
Gogo takes our [sic] customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It [sic] impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”
Cryptographic protocols such as Transport Layer Security (TLS) and Secure Socket Layer (SSL) are used to encrypt data that is transferred between two parties (i.e. a user of a website and that website). TLS and SSL certificates are issued to authenticate that the counterparty a user is communicating with is the intended counterparty. That is their sole purpose. Issuing false certificates then solely serves misguide users into believing that they are communicating with the intended counterparty – sometimes referred to as a man-in-the-middle attack or MIMT. Despite Gogo’s indirect claims that such techniques are employed to control traffic to ensure sufficient bandwidth is available on flights, there is no legitimate reason for Gogo to “proxy secure video traffic to block it” when other, less dubious means of blocking websites are available.
Last April, Gogo received some unwanted attention from an FCC filing stating that it voluntarily implemented “additional capabilities to accommodate law enforcement interests” which were not required by the Communications Assistance for Law Enforcement Act, causing consumers to be concerned about intrusive surveillance.
Several airlines offer Gogo Inflight Internet including Delta Air Lines, American Airlines, Virgin America, Alaska Airlines, US Airways, Frontier Airlines and Air Tran Airways. If flying these airlines and using onboard Wi-Fi, even Gogo advises the use of a VPN to ensure information and data security. Others have suggested using Tor and resetting Google passwords if Gogo had ever been used to access Google accounts. Internet security expert Michael Donohoe had this to say:
— Michael (@donohoe) January 5, 2015
photo: Adrienne Porter Felt