Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Gogo Inflight Internet serves up 'man-in-the-middle' with fake SSL

Maria Korolov | Jan. 8, 2015
Gogo In-flight Internet is issuing fake Google certificates.

When a third party inserts itself between a user and a destination website and uses fake SSL certificates in an attempt to cover it up, it's usually known as a "man-in-the-middle" attack, and offers an opportunity for outsiders to eavesdrop on conversations and steal credentials.

Four days ago, Google Chrome security engineer Adrienne Porter Felt was on an flight where she was using Gogo's in-flight Internet -- and discovered that Gogo was issuing fake Google certificates.

According to Gogo, there was nothing malicious about this, just an attempt to conserve bandwidth by blocking online video streaming.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it," said Gogo CTO Anand Chari in a statement yesterday.

The technique is only used for some streaming site, and does not affect general Internet traffic, he added.

"We can assure customers that no user information is being collected when any of these techniques are being used," he said. "They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience."

However, security experts say that there are many other ways of blocking online video without adopting a technique normally used by cybercriminals.

"There are about a dozen ways of doing this that are more effective than setting up a man-in-the-middle," said Jean Taggart, senior security researcher at San Jose, CA-based Malwarebytes Corp.

Taggart recommended that business travelers use either their company's VPN or a commercial VPN service to ensure that communications are secure through untrusted networks.

For some regulated industries, such as health care, not using a VPN could be a violation of the law, he added.

However, for the average user, a VPN isn't always an option, he added.

"In the case of Gogo, most people who are affected are everyday users who don't have a fully-staffed IT team to set up their machine," he added.

And those users might be making a deliberate decision to use SSL because they care about their security, said Martin Walter, Director of Product Management at Sunnyvale, Cal.-based security firm RedSeal, Inc. For example, they might want to protect their user credentials.

"Breaking a security protocol is definitely the wrong way to go," he said.

For example, Gogo could simply redirect users away from streaming sites to a page that explains that there is a limit to the available bandwidth, or redirect users based on how much bandwidth they are using.

"Communicate with the user," he urged.

This is particularly relevant for Gogo, he added, because the company has a history of privacy violations.

A couple of years ago, Gogo told the FCC that they willingly went beyond what the law required to implement "a set of additional capabilities to accommodate law enforcement interests."


1  2  Next Page 

Sign up for Computerworld eNewsletters.