Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates

from the 'trusted-partner,'-my-ass dept

When you’re flying, your internet connection is completely in the hands of a single company. There’s no searching around for another signal. So, however the provider decides to handle your connection, that’s what you’re stuck with. A captive audience usually results in fun things like high prices and connection throttling. And, if you’re Gogo Inflight, it means compromising the security of every traveler who chooses to use the service, just because you can.

Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.

The bogus certificate was captured in a screenshot tweeted out by Felt.

Now, Gogo Inflight likely has several reasons why it would perform a MITM attack on its users, but none of them justify stripping away previously existing security layers. The company loves to datamine and it definitely makes an effort to “shape” traffic by curtailing use of data-heavy sites. It also, as Steven Johns at Neowin points out, is an enthusiastic participant in law enforcement and investigative activities, going above and beyond what’s actually required of service providers.

In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests. Gogo’s network is fully compliant with the Communications Assistance for Law Enforcement Act (“CALEA”). The Commission’s ATG rules do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA. Nevertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.

So, whatever its myriad reasons for compromising the security of travelers, it’s likely the law enforcement angle that has the most to do with its fake SSL certificates. Every communication utilizing its service is fully exposed. Gogo keeping tabs on its users for itself (data mining) and law enforcement also exposes them to anyone else on the plane who wishes to do the same. Nowhere has it stated upfront that it will remove the security from previously secure websites and services. In fact, it says exactly the opposite in its Privacy Policy.

The airlines on whose planes the Services are available do not collect any information through your use of the Services, but we may share certain types of information with such airlines, as described below. Please remember that this policy only covers your activities while on the Gogo Domains; to the extent you visit third party websites, including the websites of our airline partners, the privacy policies of those websites will govern.

Except that those policies can’t govern, not when their underlying security has been compromised by fake Gogo SSL certificates.

The solution for travelers is to skip the service entirely, or run everything through a VPN. Gogo welcomes the use of VPNs for greater security, but even this wording is at odds with what it’s actually doing.

Gogo does support secure Virtual Private Network (VPN) and Secure Shell (SSH) access. If you have VPN, Gogo recommends that you use secure VPN protocols for greater security. SSL-encrypted websites or pages, typically indicated by “https” in the address field and a “lock” icon, can also generally be accessed through the Gogo Services. You should be aware, however, that data packets from un-encrypted Wi-Fi connections can be captured by technically advanced means when they are transmitted between a user’s Device and the Wi-Fi access point. You should therefore take precautions to lower your security risks.

Again, precautions are moot if Gogo deliberately inserts itself into the transmission with bogus certificates.

Gogo has yet to respond to this, but I would imagine its answer will involve pointing to the mess of contradictions it calls a Privacy Policy. Gogo can run its service however it wants to, but with its upcoming move into providing text messaging and voicemail access, it should really revamp the way it handles its customers’ connections.

Filed Under: , , , ,
Companies: gogo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates”

Subscribe: RSS Leave a comment
cerda (profile) says:

Re: MITM is for your security. Right?

yes, they probably have (I do not know because I never used their service); chances are they use a root off a known CA, so that they can dynamically issue a new “server” certificate on the fly (that will probably have the same common name, or even the same distinguished name, as the real site certificate).

You could blacklist it, but this will probably cause all HTTPS connections to fail. This is not a bad idea, all in all, but is sort of pointless: you already know they do MITM, so all you need to do is NOT use their service. As I do…

Perhaps a better approach would be to use SSH2 tunnelling, or VPNs (as long as the VPN software uses certificate & root(s) pinning, so that it will fail if a different cert is received).

No matter what, get used to checking the server certificate whenever you use a different provider. HTTPS inspection (a.k.a. MITM) is getting to be common-place.

John Fenderson (profile) says:

Re: I think they did respond...

And the very first phrase in the statement is a straight-up lie:

Gogo takes our customer’s privacy very seriously

Nobody performing MITM attacks can honestly claim that they’re taking their customer’s privacy seriously at all.

I’d been tempted to use GoGo a couple of times, but hadn’t because the service is far more expensive than it’s worth to me. Now I’m glad I never have, and will make sure that I never do.

Anonymous Coward says:

Re: Re: I think they did respond...


And the very first phrase in the statement is a straight-up lie:

Gogo takes our customer’s privacy very seriously

Nobody performing MITM attacks can honestly claim that they’re taking their customer’s privacy seriously at all.


It’s no lie. They take their customer’s privacy so seriously that they take it completely. No half-measures or flim-flam. 100% taken, seriously.

It’s all in the way that you look at the words, from the right angle, in the right light, English is useful that way.

TasMot (profile) says:

Re: Re: Re: Re:

No, they did not steal a certificate, they issued their own certificate that tries to impersonate the identity of Google. They pretended to be Google. Along the lines of would you mind if I issued myself an ID that says I’m you and take it to the bank and take out your money? They issued themselves a certificate that says they are Google. Now, they can decrypt your ID and Password for your internet traffic. Who knows what else they will see and take while they are looking at your internet browsing? Identity theft is representing yourself (their business) as someone else (in this case, Google, another business). Why are you saying that it is OK?

cerda (profile) says:

Re: Re: Re:2 it can happen; it is happening; it should not be allowed, though.

I did NOT state it is OK. I do not agree with it, given this breaks, completely, the already flimsy trust I have on X.509 certificate usage.

But it is, still, a valid use of X.509. Welcome to the marvelous world of standards.

The whole point here is it IS used. One can buy (er, licence) available commercial software to do that. The only thing we can do is loudly complain about services using this. And be very careful when accessing HTTPS sites anywhere.

In summary: the new reality is this will get to be even more common. Many companies already deploy HTTPS inspection, many more will do (perhaps because of liability containment).

The fact this is stupid has no impact on it being deployed.

cerda (profile) says:

Re: Re: Re:4 it can happen; it is happening; it should not be allowed, though.

Technically valid. Morally, and legally… this is a different discussion. If it will be legally valid will have to wait until a number of courts of law discuss it. Right now I cannot even state it is illegal (my opinion, IANAL).

For the moral and ethical parts… all I can say is that — and, again, in my opinion — this is ethically wrong: certificates are used to provide one with a private conversation between parts. HTTPS inspection breaks this expectation of privacy. Since, many times, security depends on privacy, then HTTPS inspection implies a break in security as well.

This is even more critical if one thinks of how we have been promoting HTTPS usage — which, pretty much, boils down to “use HTTPS and you will be secure”. Add to it the fact that all browsers allow for one to bypass the security warnings and proceed — which the majority of users do — and this is a recipe for disaster (I like the ability to bypass the security warning, but I have a pretty good idea of what to do, and of the risks).

On the other hand, a similar process has been in use for quite many years to allow compartimentalisation and increase security. Picture a site that uses an internal CA to generate certificates that are used internally, and has a gateway to the external world (“protected” by a publicly-acquired certificate). By using software that requires all certificate roots to be present (and refuses to accept new roots over the wire), this site can guarantee that internal data will not be mistakenly sent out, or that external data will not be accepted unless coming in thru the gateway. In this usage, the internal servers only have the roots for the internal CA, and the gateway has only the internal root for the internal-facing, ah, listener, and the external root for the external-facing one.

This uses a similar (in functionality) software. Also, I am simplifying this a lot.

So. As usual, it is not the technology that is bad, but the usage one makes of it. But, frankly, X.509 is a dated technology, does not scale well, does not really guarantee provenance, etc, etc, ad nauseum.

John Fenderson (profile) says:

Re: Re:

“How is it that running a MITM attack and issuing a bogus security certificate to let you spy on someone else’s private transmissions doesn’t fall afoul of wiretap laws?”

I think there are two aspects to this. First, the internet isn’t counted as a communications service (yet another reason we need title II) so I don’t think wiretap laws apply. Second, they’re doing this entirely on their own systems, so the newer anti-hacking laws (that were supposed to fill the wiretap law gap in part) don’t apply.

The bottom line is — if you’re using someone else’s system to access the internet, you have to consider the entire system to be compromised.

Anonymous Coward says:

Re: Re:

Lets not put all the blame on them, this thing was most likely forced on them with one of those rubberstamp things.

Techdirt itself makes the case that they went above and beyond the law, which casts doubt on the idea that this is done pursuant to a rubberstamped order. Further, Techdirt also points out that their privacy policy is a confusing mess that seems to deny that they do what they are clearly doing. So absolutely we should blame them. If they cannot even follow their published privacy policy, they should amend the policy. Moreover, if they have MITM capability, they should flaunt it by having a mandatory splash page that specifically warns that you have no privacy.

Just Passin' Thru says:

What about "right to privacy"

If Gogo does business in California, I’d think they are violating the California Constitution’s provision for citizen’s “Right to Privacy”. Perhaps someone will sue them.

All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.

Also, I’d think they are possibly violating other California laws, e.g.:

Electronic Eavesdropping – California Penal Code sections 630-638. Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radio telephone, cellular radio telephone, cable or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7). It prohibits cable TV and satellite TV operators from monitoring or recording conversations in a subscriber’s residence, or from sharing individually identifiable information on subscriber viewing habits or other personal information without written consent (section 637.5).

There are dozens more… see the whole list: http://oag.ca.gov/privacy/privacy-laws

Adam Troy says:

Acceptable Use Policies

I have implemented this type of service for use in other corporations. All it does is decrypt the HTTPS packets in order to view the URL and log visits or block the transaction based on a certain set of rules. When you log into their WIFI, you have to accept their terms of service. As a part of this you are allowing them to see what websites you are going to.

These devices do not look into the packets and store the information. All they do is log transactions. Gogo says they use it to shape traffic and that totally makes sense, they have a limited amount of bandwidth on an airplane (ten years ago this sounded like a far off dream) and in order to support more than one person on the flight they need to limit what kind of traffic goes across it.

Please use your brains before crying conspiracy. It is a valid use of technology and I’m quite sure that many of your residential ISPs take advantage of this service.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...