If you were planning on using in flight Internet provided by Gogo to watch a few YouTube videos, you may want to think twice. Naked Security has found that GoGo is doing a version of the “Man In The Middle Attack” to throttle high bandwidth applications such as watching YouTube:
Google Chrome security team engineer Adrienne Porter Felt first noticed the bogus SSL certificate while trying to get to the (Google-owned) YouTube site during a flight.
Instead of receiving the Google-issued certificate she expected, she got one from Gogo, with a red-letter warning saying that it came from an untrusted issuer.
Now, that’s very bad for the following reasons:
While modern-day browsers, including Chrome, will flag a bogus certificate, the practice of issuing fake certificates could, at least in theory, set Gogo up to be in the same position as the man in the middle of a man-in-the-middle (MitM) attack, issuing fake security certificates that allow it to view passwords and other sensitive information exchanged between users and YouTube – or whatever other service Gogo might use the technique to block.
Gogo sees things differently of course:
In response to Felt’s text, Gogo Executive Vice President and Chief Technology Officer Anand Chari released a statement saying that the broadband provider is absolutely not stealing users’ private data.
Rather, the rigged certificate is all about enforcing the company’s no-streaming policy, he said.
That’s fine, except Ms. Porter wasn’t trying to stream videos. Even if she was, Gogo was recently caught bragging about how it goes above and beyond to enable the US to snoop on passengers. Thus I would take whatever this company says with a grain of salt.
My advice. Use trusted (if there is such a thing these days) WiFi access in the airport terminal or use your smartphone’s tethering ability to get onto the Internet. Clearly in flight WiFi via Gogo can’t be trusted.
Gogo Forges YouTube SSL Certificate To Throttle Bandwidth….. Not Cool….
Posted in Commentary with tags Gogo, Privacy on January 8, 2015 by itnerdIf you were planning on using in flight Internet provided by Gogo to watch a few YouTube videos, you may want to think twice. Naked Security has found that GoGo is doing a version of the “Man In The Middle Attack” to throttle high bandwidth applications such as watching YouTube:
Google Chrome security team engineer Adrienne Porter Felt first noticed the bogus SSL certificate while trying to get to the (Google-owned) YouTube site during a flight.
Instead of receiving the Google-issued certificate she expected, she got one from Gogo, with a red-letter warning saying that it came from an untrusted issuer.
Now, that’s very bad for the following reasons:
While modern-day browsers, including Chrome, will flag a bogus certificate, the practice of issuing fake certificates could, at least in theory, set Gogo up to be in the same position as the man in the middle of a man-in-the-middle (MitM) attack, issuing fake security certificates that allow it to view passwords and other sensitive information exchanged between users and YouTube – or whatever other service Gogo might use the technique to block.
Gogo sees things differently of course:
In response to Felt’s text, Gogo Executive Vice President and Chief Technology Officer Anand Chari released a statement saying that the broadband provider is absolutely not stealing users’ private data.
Rather, the rigged certificate is all about enforcing the company’s no-streaming policy, he said.
That’s fine, except Ms. Porter wasn’t trying to stream videos. Even if she was, Gogo was recently caught bragging about how it goes above and beyond to enable the US to snoop on passengers. Thus I would take whatever this company says with a grain of salt.
My advice. Use trusted (if there is such a thing these days) WiFi access in the airport terminal or use your smartphone’s tethering ability to get onto the Internet. Clearly in flight WiFi via Gogo can’t be trusted.
Leave a comment »