Many air travelers assume they’re receiving access to a safe and secure Internet connection when they choose to pay Gogo for the ability to surf the web on an airplane. However, a troubling new allegation, first noticed by Neowin.net, suggests that Gogo issues false SSL certificates to those visiting certain sites and may be cause for serious concern to those using the service.
Google Chrome security team engineer, Adrienne Porter Felt, noticed that when she tried to visit a Google site on a recent flight, she was issued an SSL certificate by Gogo instead of Google, as would normally the case. She later sent a tweet showing a screenshot of the certificate in question:
SSL/TLS are cryptographic protocols that provide an added layer of security for communications over the Internet. These certificates help make man-in-the-middle attacks (where a third party can access your Internet traffic) more difficult, helping to keep sensitive personal information secure. When properly implemented, a would-be hacker must first attack the SSL certificate before spying on a user’s traffic.
In Porter Felt’s case, this security device was subverted by Gogo itself, leaving her connection, and potentially that of many other users, unsecured.
Gogo responded to our inquiry about the case with a statement via email from its Chief Technology Officer, Anand Chari. The statement, reprinted below in full, suggests that Gogo uses this approach in order to limit bandwidth by blocking access to video streaming sites during flights:
Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.
However, in another Twitter exchange Porter Felt claims she was not streaming video at the time she received the false certificate:
@iamchrisle oddly enough I wasn't, I noticed this when debugging a page that seemed broken (it had youtube in an iframe)— Adrienne Porter Felt (@__apf__) January 5, 2015
Gogo’s violation is particularly noteworthy because of the ubiquity of its service. Gogo provides in-flight Internet access to passengers on a number of different national and international airlines, including American Airlines, Air Canada, Japan Airlines, and Virgin Atlantic, among others.
While Porter Felt does not seem to believe google account information was compromised, she did, according to another tweet, take the step of telling a Google account manager to kill all active sessions:
Considering Porter Felt’s comment, fears of a breach of user data might be overblown. Even so, it might be wise for past Gogo users to consider changing their passwords. Future users of the service might also want to take extra precautions and access the service through a secure VPN.
H/T Neowin | Photo via bejamincclark/Flickr (CC By 2.0)