Gogo Inflight Internet, an internet provider for major airlines including American, United, U.S. Airways, and Delta, has been caught issuing spoofed SSL certificates by a Google engineer.
While many of us love the convenience of being able to work online while inflight, the incident raises questions regarding just how secure our wireless inflight internet access is – and why Gogo found it necessary to spoof a security certificate in the first place.
What is SSL certificate spoofing?
An SSL certificate is intended to create a secure line that submits encrypted data between a user’s browser and a web server. Modern web browsers feature ways to identify who has registered an SSL certificate, and the location of the party it is being used by.
SSL certificate spoofing, also referred to as a “man-in-the-middle attack” enables an attacking party to cut into a data transaction, and monitor and interact with the data being transferred. This middle-man approach allows for the easy monitoring and collection user transaction data including login information, credit card details, email communications, social security numbers, etc.
So if spoofing is such a powerful, and illicit breach of security – why is Gogo Inflight Internet using this method?
Google engineer Adrienne Porter Felt, a member of the usability security research portion of the Chrome team, discovered Gogo spoofing a Google SSL certificate while inflight. Ordinarily, this certificate can only be delivered by Google itself, with a properly signed certificate to verify its authenticity.
Instead, what she found was a Google certificate issued by…Gogo.
The response from Gogo
After posting a screenshot of the falsified certificate to Twitter, the Executive Vice President and Chief Technology Officer of Gogo, Anand Chari, responded on Gogo’s blog citing the company’s policy regarding streaming video. He wrote:
“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”
What does it all mean?
It is clear that Gogo does not see eye to eye with critics who agree that spoofing SSL certificates opens up inflight internet users to security threats. But the fact of the matter is that the concerns being raised about security are quite real – no one knows what Gogo is actually doing with the user data that they have access to. All we have is their word.
And thanks to a Wired article from last year, we do know that Gogo, as well as other inflight wi-fi providers, have a deal with the NSA and U.S. law enforcement to provide data on users for tracking purposes when ordered.
So can we trust Gogo Inflight Internet? That remains to be seen, but based on the evidence, if you are worried about security it may be in your best interests to refrain from accessing secure websites and submitting data using their network.
How do you feel about this story?
Tell us by tweeting @UptrendsMonitor!