Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates
from the 'trusted-partner,'-my-ass dept
When you're flying, your internet connection is completely in the hands of a single company. There's no searching around for another signal. So, however the provider decides to handle your connection, that's what you're stuck with. A captive audience usually results in fun things like high prices and connection throttling. And, if you're Gogo Inflight, it means compromising the security of every traveler who chooses to use the service, just because you can.
Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.The bogus certificate was captured in a screenshot tweeted out by Felt.
hey @Gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU
— Adrienne Porter Felt (@__apf__) January 2, 2015
Now, Gogo Inflight likely has several reasons why it would perform a MITM attack on its users, but none of them justify stripping away previously existing security layers. The company loves to datamine and it definitely makes an effort to "shape" traffic by curtailing use of data-heavy sites. It also, as Steven Johns at Neowin points out, is an enthusiastic participant in law enforcement and investigative activities, going above and beyond what's actually required of service providers.
In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests. Gogo’s network is fully compliant with the Communications Assistance for Law Enforcement Act (“CALEA”). The Commission’s ATG rules do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA. Nevertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.So, whatever its myriad reasons for compromising the security of travelers, it's likely the law enforcement angle that has the most to do with its fake SSL certificates. Every communication utilizing its service is fully exposed. Gogo keeping tabs on its users for itself (data mining) and law enforcement also exposes them to anyone else on the plane who wishes to do the same. Nowhere has it stated upfront that it will remove the security from previously secure websites and services. In fact, it says exactly the opposite in its Privacy Policy.
The airlines on whose planes the Services are available do not collect any information through your use of the Services, but we may share certain types of information with such airlines, as described below. Please remember that this policy only covers your activities while on the Gogo Domains; to the extent you visit third party websites, including the websites of our airline partners, the privacy policies of those websites will govern.Except that those policies can't govern, not when their underlying security has been compromised by fake Gogo SSL certificates.
The solution for travelers is to skip the service entirely, or run everything through a VPN. Gogo welcomes the use of VPNs for greater security, but even this wording is at odds with what it's actually doing.
Gogo does support secure Virtual Private Network (VPN) and Secure Shell (SSH) access. If you have VPN, Gogo recommends that you use secure VPN protocols for greater security. SSL-encrypted websites or pages, typically indicated by “https” in the address field and a “lock” icon, can also generally be accessed through the Gogo Services. You should be aware, however, that data packets from un-encrypted Wi-Fi connections can be captured by technically advanced means when they are transmitted between a user’s Device and the Wi-Fi access point. You should therefore take precautions to lower your security risks.Again, precautions are moot if Gogo deliberately inserts itself into the transmission with bogus certificates.
Gogo has yet to respond to this, but I would imagine its answer will involve pointing to the mess of contradictions it calls a Privacy Policy. Gogo can run its service however it wants to, but with its upcoming move into providing text messaging and voicemail access, it should really revamp the way it handles its customers' connections.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fake certs, mitm, security, ssl, wifi in the sky
Companies: gogo
Reader Comments
Subscribe: RSS
View by: Time | Thread
interesting...
[ link to this | view in chronology ]
Re: interesting...
[ link to this | view in chronology ]
Re: Re: interesting...
[ link to this | view in chronology ]
Re: interesting...
[ link to this | view in chronology ]
Re: interesting...
[ link to this | view in chronology ]
Re: interesting...
THERE! CAUGHT PANTS DOWN EH MIKE? This is all the evidence we need you are a Google shill. /troll
Sorry, couldn't resist.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
MITM is for your security. Right?
You could blacklist it, but this will probably cause all HTTPS connections to fail. This is not a bad idea, all in all, but is sort of pointless: you already know they do MITM, so all you need to do is *NOT* use their service. As I do...
Perhaps a better approach would be to use SSH2 tunnelling, or VPNs (as long as the VPN software uses certificate & root(s) pinning, so that it will fail if a different cert is received).
No matter what, get used to checking the server certificate whenever you use a different provider. HTTPS inspection (a.k.a. MITM) is getting to be common-place.
[ link to this | view in chronology ]
Re: MITM is for your security. Right?
But, for the common user, it will be swallowed as-is.
[ link to this | view in chronology ]
Re: Re: MITM is for your security. Right?
[ link to this | view in chronology ]
Re: Re: Re: MITM is for your security. Right?
[ link to this | view in chronology ]
I think they did respond...
http://concourse.gogoair.com/technology/statement-gogo-regarding-streaming-video-policy?WT. mc_id=13816cc52535cfd9ebccc0726d7ade02
That sort of dances around the question though.
[ link to this | view in chronology ]
Re: I think they did respond...
Nobody performing MITM attacks can honestly claim that they're taking their customer's privacy seriously at all.
I'd been tempted to use GoGo a couple of times, but hadn't because the service is far more expensive than it's worth to me. Now I'm glad I never have, and will make sure that I never do.
[ link to this | view in chronology ]
Re: Re: I think they did respond...
And the very first phrase in the statement is a straight-up lie:
Gogo takes our customer’s privacy very seriously
Nobody performing MITM attacks can honestly claim that they're taking their customer's privacy seriously at all.
-endquote-
It's no lie. They take their customer's privacy so seriously that they take it completely. No half-measures or flim-flam. 100% taken, seriously.
It's all in the way that you look at the words, from the right angle, in the right light, English is useful that way.
[ link to this | view in chronology ]
A more simple response
[ link to this | view in chronology ]
Re: A more simple response
[ link to this | view in chronology ]
Re: Re: A more simple response
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
it can happen; it is happening; it should not be allowed, though.
But it is, still, a valid use of X.509. Welcome to the marvelous world of standards.
The whole point here is it IS used. One can buy (er, licence) available commercial software to do that. The only thing we can do is loudly complain about services using this. And be *very* careful when accessing HTTPS sites *anywhere*.
In summary: the new reality is this will get to be even more common. Many companies already deploy HTTPS inspection, many more will do (perhaps because of liability containment).
The fact this is stupid has no impact on it being deployed.
[ link to this | view in chronology ]
Re: it can happen; it is happening; it should not be allowed, though.
The question is, what do you mean by valid? Legally valid? Morally valid? Obviously we can tell it's technically valid because they're doing it.
[ link to this | view in chronology ]
Re: Re: it can happen; it is happening; it should not be allowed, though.
For the moral and ethical parts... all I can say is that -- and, again, in my opinion -- this is ethically wrong: certificates are used to provide one with a *private* conversation between parts. HTTPS inspection breaks this expectation of privacy. Since, many times, security depends on privacy, then HTTPS inspection implies a break in security as well.
This is even more critical if one thinks of how we have been promoting HTTPS usage -- which, pretty much, boils down to "use HTTPS and you will be secure". Add to it the fact that all browsers allow for one to bypass the security warnings and proceed -- which the majority of users do -- and this is a recipe for disaster (I *like* the ability to bypass the security warning, but I have a pretty good idea of what to do, and of the risks).
On the other hand, a similar process has been in use for quite many years to allow compartimentalisation and *increase* security. Picture a site that uses an internal CA to generate certificates that are used internally, and has a gateway to the external world ("protected" by a publicly-acquired certificate). By using software that requires all certificate roots to be present (and refuses to accept new roots over the wire), this site can guarantee that internal data will not be mistakenly sent out, or that external data will not be accepted unless coming in thru the gateway. In this usage, the internal servers only have the roots for the internal CA, and the gateway has *only* the internal root for the internal-facing, ah, listener, and the external root for the external-facing one.
This uses a similar (in functionality) software. Also, I am simplifying this a *lot*.
So. As usual, it is not the technology that is bad, but the usage one makes of it. But, frankly, X.509 is a dated technology, does not scale well, does not really guarantee provenance, etc, etc, ad nauseum.
[ link to this | view in chronology ]
Re: it can happen; it is happening; it should not be allowed, though.
Then bank robbery is a valid use of a gun. Welcome to the marvelous world of "it's OK because it's possible".
[ link to this | view in chronology ]
Re:
I think there are two aspects to this. First, the internet isn't counted as a communications service (yet another reason we need title II) so I don't think wiretap laws apply. Second, they're doing this entirely on their own systems, so the newer anti-hacking laws (that were supposed to fill the wiretap law gap in part) don't apply.
The bottom line is -- if you're using someone else's system to access the internet, you have to consider the entire system to be compromised.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What about "right to privacy"
Also, I'd think they are possibly violating other California laws, e.g.:
There are dozens more... see the whole list: http://oag.ca.gov/privacy/privacy-laws
[ link to this | view in chronology ]
America certainly has changed since 9/11. I'd argue for the worse. Mimicking the Great Firewall of China is a step backwards in my book.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Acceptable Use Policies
These devices do not look into the packets and store the information. All they do is log transactions. Gogo says they use it to shape traffic and that totally makes sense, they have a limited amount of bandwidth on an airplane (ten years ago this sounded like a far off dream) and in order to support more than one person on the flight they need to limit what kind of traffic goes across it.
Please use your brains before crying conspiracy. It is a valid use of technology and I'm quite sure that many of your residential ISPs take advantage of this service.
[ link to this | view in chronology ]
Re: Acceptable Use Policies
Issuing phony SSL certificates is by no means a legitimate use of the technology.
[ link to this | view in chronology ]
they aren't doing this now
[ link to this | view in chronology ]
Unlimited wifi on all airlines
[ link to this | view in chronology ]