(No Ratings Yet)

January 20, 2015 Comments closed

Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic

in ssl certificates

If you have ever flown on a US airline, chances are you have seen an advertisement for an in-flight Wi-Fi service provided by Gogo. While Gogo is certainly appealing to most travelers in this day and age, a revelation has come to light recently about this service that you should probably be aware of.

gogo_inflight_internet

This past week, Adrienne Porter Felt, a security engineer at Google, discovered that Gogo was using a fraudulent certificate in place of Youtube.com’s real SSL certificate. The certificate was a self-signed certificate issued by Gogo, being used in combination with a proxy server. This was easy to spot because of SSL security measures in place that prevents connections from being established with a certificate issued by an untrusted provider.

The purpose of this behavior is to insert their own proxy server between the user and Youtube.com, known as a “man in the middle attack” (MITM). By performing a MITM attack, Gogo was able to view user’s data unencrypted, for the purpose of throttling or blocking connections to the bandwidth-intensive video streaming site.

Making sure users are not violating policy is fairly standard for Internet service providers. Because SSL encrypts internet traffic, it makes it harder for providers to monitor and restrict access on their networks. However by MITMing traffic to Youtube, Gogo has stepped far over the boundaries of acceptable behavior, especially given available alternatives which protect user privacy.

This is especially troubling given Gogo’s history. Neowin.com reports that “earlier this year, it was revealed through the FCC that Gogo partnered with government officials to produce ‘capabilities to accommodate law enforcement interests’ that go beyond those outlined under federal law.”³

We hope it goes without saying, but just to be clear, The SSL Store™ does not support this action, or any other action(s) which undermine SSL security and user perception of security.

For more on this story, please see this excellent write up by Rick Andrews of Symantec at CASecutiy.org.

3 https://www.neowin.net/news/gogo-inflight-internet-is-intentionally-issuing-fake-ssl-certificates

How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome

5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018

Re-Hashed: How to clear HSTS settings in Chrome and Firefox

Re-Hashed: How to Fix SSL Connection Errors on Android Phones

Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms

Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message

How to fix the SSL_ERROR_RX_RECORD_TOO_LONG Firefox Error

The Difference Between Root Certificates and Intermediate Certificates

The difference between Encryption, Hashing and Salting

Rehash: How to Fix the SSL/TLS Handshake Failed Error

How to Remove a Root Certificate

This is what happens when your SSL certificate expires

How strong is 256-bit Encryption?

The 25 Best Cyber Security Books — Recommendations from the Experts

Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings

Browser Watch: SSL/Security Changes in Chrome 58

Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3

Taking a Closer Look at the SSL/TLS Handshake

Executing a Man-in-the-Middle Attack in just 15 Minutes

How to View SSL Certificate Details in Chrome 56

15 PKI Uses and Applications (With Examples)

New Industry Standards Working Group Aims to Define Industry Terms

Don’t Let These Password Cracking Attacks Catch You Off Guard

Gartner Says PKI Was a Bigger Challenge in 2023 Than MFA

A Look at U.S. Business Email Compromise Statistics (2024)

PKI Mistakes That Were So Bad They Made Headlines (12 Examples)

How to Sign a Word Document Using a Digital Signature Certificate

5 Ways to Avoid Your Company Falling for Deepfake Scams

How Do I Make My Website Secure? The Essential Guide

The Ultimate Guide to 13 U.S. Data Privacy Laws (And What They Mean to Your Business)

Demystifying SAML Authentication: A Look at the Role of SAML in SSO-Based Access Management

Quantum Computing Just Took a Big Step Forward

20 Generative AI, ChatGPT & Deepfake Statistics You Should Know For 2024

‘Authentic’ Is More Than Merriam-Webster’s Word of the Year For 2023

Key Takeaways from the Second PKI Consortium Post-Quantum Cryptography Conference

6 Dangers of Generative AI and What’s Being Done to Address Them

OCSP vs CRL: What Each Is & Why Browsers Prefer One Over the Other

Google & Yahoo to Roll Out New Email Authentication & Spam Prevention Requirements in February 2024

A Look at 30 Key Cyber Crime Statistics [2023 Data Update]

How to Create a Custom Digital Signature in Adobe Acrobat Reader

5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018

How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome

Re-Hashed: How to Fix SSL Connection Errors on Android Phones

Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid

This is what happens when your SSL certificate expires

Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message

Report it Right: AMCA got hacked – Not Quest and LabCorp

Re-Hashed: How to clear HSTS settings in Chrome and Firefox

Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms

The Difference Between Root Certificates and Intermediate Certificates

The difference between Encryption, Hashing and Salting

Re-Hashed: How To Disable Firefox Insecure Password Warnings

Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings

The Ultimate Hacker Movies List for December 2020

Anatomy of a Scam: Work from home for Amazon

The Top 9 Cyber Security Threats That Will Ruin Your Day

How strong is 256-bit Encryption?

Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3

How to View SSL Certificate Details in Chrome 56

PayPal Phishing Certificates Far More Prevalent Than Previously Thought

Author

Recent Posts

Follow Us

Free Ebooks