Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates

from the 'trusted-partner,'-my-ass dept

When you're flying, your internet connection is completely in the hands of a single company. There's no searching around for another signal. So, however the provider decides to handle your connection, that's what you're stuck with. A captive audience usually results in fun things like high prices and connection throttling. And, if you're Gogo Inflight, it means compromising the security of every traveler who chooses to use the service, just because you can.

Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.
The bogus certificate was captured in a screenshot tweeted out by Felt.

Now, Gogo Inflight likely has several reasons why it would perform a MITM attack on its users, but none of them justify stripping away previously existing security layers. The company loves to datamine and it definitely makes an effort to "shape" traffic by curtailing use of data-heavy sites. It also, as Steven Johns at Neowin points out, is an enthusiastic participant in law enforcement and investigative activities, going above and beyond what's actually required of service providers.
In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests. Gogo’s network is fully compliant with the Communications Assistance for Law Enforcement Act (“CALEA”). The Commission’s ATG rules do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA. Nevertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.
So, whatever its myriad reasons for compromising the security of travelers, it's likely the law enforcement angle that has the most to do with its fake SSL certificates. Every communication utilizing its service is fully exposed. Gogo keeping tabs on its users for itself (data mining) and law enforcement also exposes them to anyone else on the plane who wishes to do the same. Nowhere has it stated upfront that it will remove the security from previously secure websites and services. In fact, it says exactly the opposite in its Privacy Policy.
The airlines on whose planes the Services are available do not collect any information through your use of the Services, but we may share certain types of information with such airlines, as described below. Please remember that this policy only covers your activities while on the Gogo Domains; to the extent you visit third party websites, including the websites of our airline partners, the privacy policies of those websites will govern.
Except that those policies can't govern, not when their underlying security has been compromised by fake Gogo SSL certificates.

The solution for travelers is to skip the service entirely, or run everything through a VPN. Gogo welcomes the use of VPNs for greater security, but even this wording is at odds with what it's actually doing.
Gogo does support secure Virtual Private Network (VPN) and Secure Shell (SSH) access. If you have VPN, Gogo recommends that you use secure VPN protocols for greater security. SSL-encrypted websites or pages, typically indicated by “https” in the address field and a “lock” icon, can also generally be accessed through the Gogo Services. You should be aware, however, that data packets from un-encrypted Wi-Fi connections can be captured by technically advanced means when they are transmitted between a user’s Device and the Wi-Fi access point. You should therefore take precautions to lower your security risks.
Again, precautions are moot if Gogo deliberately inserts itself into the transmission with bogus certificates.

Gogo has yet to respond to this, but I would imagine its answer will involve pointing to the mess of contradictions it calls a Privacy Policy. Gogo can run its service however it wants to, but with its upcoming move into providing text messaging and voicemail access, it should really revamp the way it handles its customers' connections.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Mike Masnick (profile), 5 Jan 2015 @ 9:59am

    interesting...

    I have such bad experiences with Gogo and it seems to be getting worse. When I flew a few weeks ago, it wouldn't even let me log in because I was using Google DNS...

    reply to this | link to this | view in chronology ]

  • identicon
    Chris Charabaruk, 5 Jan 2015 @ 10:26am

    Do they at least have a root certificate signing all their fake certs? Would make it at least a little simpler at blacklisting them.

    reply to this | link to this | view in chronology ]

    • icon
      cerda (profile), 5 Jan 2015 @ 10:48am

      MITM is for your security. Right?

      yes, they probably have (I do not know because I *never* used their service); chances are they use a root off a known CA, so that they can dynamically issue a new "server" certificate on the fly (that will probably have the same common name, or even the same distinguished name, as the real site certificate).

      You could blacklist it, but this will probably cause all HTTPS connections to fail. This is not a bad idea, all in all, but is sort of pointless: you already know they do MITM, so all you need to do is *NOT* use their service. As I do...

      Perhaps a better approach would be to use SSH2 tunnelling, or VPNs (as long as the VPN software uses certificate & root(s) pinning, so that it will fail if a different cert is received).

      No matter what, get used to checking the server certificate whenever you use a different provider. HTTPS inspection (a.k.a. MITM) is getting to be common-place.

      reply to this | link to this | view in chronology ]

      • icon
        cerda (profile), 5 Jan 2015 @ 10:50am

        Re: MITM is for your security. Right?

        Correction: looked at the cert screenshot, GoGo is NOT using a known root. So usual paranoia should be enough, for the people that understand X.509.

        But, for the common user, it will be swallowed as-is.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 6 Jan 2015 @ 6:20am

          Re: Re: MITM is for your security. Right?

          Correction: looked at the cert screenshot, GoGo is NOT using a known root.
          But Youtube clearly loaded despite the bad certificate. Does Chrome really do that, or does it mean the user overrode a warning?

          reply to this | link to this | view in chronology ]

          • icon
            R.H. (profile), 6 Jan 2015 @ 9:40am

            Re: Re: Re: MITM is for your security. Right?

            Chrome, by default, won't even let you override the warning on Google sites (and possibly some others but I'm not certain). The Chrome security engineer in question specifically changed settings to allow it to load so she could have proof of the man-in-the-middle attack.

            reply to this | link to this | view in chronology ]

  • identicon
    Megahurtz, 5 Jan 2015 @ 10:27am

    I think they did respond...

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 5 Jan 2015 @ 1:10pm

      Re: I think they did respond...

      And the very first phrase in the statement is a straight-up lie:

      Gogo takes our customer’s privacy very seriously


      Nobody performing MITM attacks can honestly claim that they're taking their customer's privacy seriously at all.

      I'd been tempted to use GoGo a couple of times, but hadn't because the service is far more expensive than it's worth to me. Now I'm glad I never have, and will make sure that I never do.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jan 2015 @ 3:06pm

        Re: Re: I think they did respond...

        -quote-

        And the very first phrase in the statement is a straight-up lie:

        Gogo takes our customer’s privacy very seriously


        Nobody performing MITM attacks can honestly claim that they're taking their customer's privacy seriously at all.

        -endquote-



        It's no lie. They take their customer's privacy so seriously that they take it completely. No half-measures or flim-flam. 100% taken, seriously.

        It's all in the way that you look at the words, from the right angle, in the right light, English is useful that way.

        reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 5 Jan 2015 @ 10:30am

    A more simple response

    #gogofckurself

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 5 Jan 2015 @ 10:33am

    And of course I'm sure there's no way to bust them over this. How is it that running a MITM attack and issuing a bogus security certificate to let you spy on someone else's private transmissions doesn't fall afoul of wiretap laws?

    reply to this | link to this | view in chronology ]

    • icon
      TasMot (profile), 5 Jan 2015 @ 10:36am

      Re:

      Or does this fall under identity theft? After all, they have "stolen" Google's identity by issuing a certificate in their name without their approval.

      reply to this | link to this | view in chronology ]

      • icon
        cerda (profile), 5 Jan 2015 @ 10:52am

        Re: Re:

        I doubt. They did not steal a real certificate, they just created another one signed by their own root. This is, even if not really candid, an accepted use of the protocol.

        reply to this | link to this | view in chronology ]

        • icon
          TasMot (profile), 5 Jan 2015 @ 11:22am

          Re: Re: Re:

          No, they did not steal a certificate, they issued their own certificate that tries to impersonate the identity of Google. They pretended to be Google. Along the lines of would you mind if I issued myself an ID that says I'm you and take it to the bank and take out your money? They issued themselves a certificate that says they are Google. Now, they can decrypt your ID and Password for your internet traffic. Who knows what else they will see and take while they are looking at your internet browsing? Identity theft is representing yourself (their business) as someone else (in this case, Google, another business). Why are you saying that it is OK?

          reply to this | link to this | view in chronology ]

          • icon
            cerda (profile), 5 Jan 2015 @ 12:45pm

            it can happen; it is happening; it should not be allowed, though.

            I did NOT state it is OK. I do not agree with it, given this breaks, completely, the already flimsy trust I have on X.509 certificate usage.

            But it is, still, a valid use of X.509. Welcome to the marvelous world of standards.

            The whole point here is it IS used. One can buy (er, licence) available commercial software to do that. The only thing we can do is loudly complain about services using this. And be *very* careful when accessing HTTPS sites *anywhere*.

            In summary: the new reality is this will get to be even more common. Many companies already deploy HTTPS inspection, many more will do (perhaps because of liability containment).

            The fact this is stupid has no impact on it being deployed.

            reply to this | link to this | view in chronology ]

            • icon
              nasch (profile), 6 Jan 2015 @ 6:08am

              Re: it can happen; it is happening; it should not be allowed, though.

              But it is, still, a valid use of X.509.

              The question is, what do you mean by valid? Legally valid? Morally valid? Obviously we can tell it's technically valid because they're doing it.

              reply to this | link to this | view in chronology ]

              • icon
                cerda (profile), 6 Jan 2015 @ 7:36am

                Re: Re: it can happen; it is happening; it should not be allowed, though.

                Technically valid. Morally, and legally... this is a different discussion. If it will be legally valid will have to wait until a number of courts of law discuss it. Right now I cannot even state it is illegal (my opinion, IANAL).

                For the moral and ethical parts... all I can say is that -- and, again, in my opinion -- this is ethically wrong: certificates are used to provide one with a *private* conversation between parts. HTTPS inspection breaks this expectation of privacy. Since, many times, security depends on privacy, then HTTPS inspection implies a break in security as well.

                This is even more critical if one thinks of how we have been promoting HTTPS usage -- which, pretty much, boils down to "use HTTPS and you will be secure". Add to it the fact that all browsers allow for one to bypass the security warnings and proceed -- which the majority of users do -- and this is a recipe for disaster (I *like* the ability to bypass the security warning, but I have a pretty good idea of what to do, and of the risks).

                On the other hand, a similar process has been in use for quite many years to allow compartimentalisation and *increase* security. Picture a site that uses an internal CA to generate certificates that are used internally, and has a gateway to the external world ("protected" by a publicly-acquired certificate). By using software that requires all certificate roots to be present (and refuses to accept new roots over the wire), this site can guarantee that internal data will not be mistakenly sent out, or that external data will not be accepted unless coming in thru the gateway. In this usage, the internal servers only have the roots for the internal CA, and the gateway has *only* the internal root for the internal-facing, ah, listener, and the external root for the external-facing one.

                This uses a similar (in functionality) software. Also, I am simplifying this a *lot*.

                So. As usual, it is not the technology that is bad, but the usage one makes of it. But, frankly, X.509 is a dated technology, does not scale well, does not really guarantee provenance, etc, etc, ad nauseum.

                reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 8 Jan 2015 @ 9:48am

              Re: it can happen; it is happening; it should not be allowed, though.

              "But it is, still, a valid use of X.509. Welcome to the marvelous world of standards."

              Then bank robbery is a valid use of a gun. Welcome to the marvelous world of "it's OK because it's possible".

              reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 5 Jan 2015 @ 1:14pm

      Re:

      "How is it that running a MITM attack and issuing a bogus security certificate to let you spy on someone else's private transmissions doesn't fall afoul of wiretap laws?"

      I think there are two aspects to this. First, the internet isn't counted as a communications service (yet another reason we need title II) so I don't think wiretap laws apply. Second, they're doing this entirely on their own systems, so the newer anti-hacking laws (that were supposed to fill the wiretap law gap in part) don't apply.

      The bottom line is -- if you're using someone else's system to access the internet, you have to consider the entire system to be compromised.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jan 2015 @ 11:23am

    Lets not put all the blame on them, this thing was most likely forced on them with one of those rubberstamp things.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2015 @ 11:31am

      Re:

      Lets not put all the blame on them, this thing was most likely forced on them with one of those rubberstamp things.
      Techdirt itself makes the case that they went above and beyond the law, which casts doubt on the idea that this is done pursuant to a rubberstamped order. Further, Techdirt also points out that their privacy policy is a confusing mess that seems to deny that they do what they are clearly doing. So absolutely we should blame them. If they cannot even follow their published privacy policy, they should amend the policy. Moreover, if they have MITM capability, they should flaunt it by having a mandatory splash page that specifically warns that you have no privacy.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jan 2015 @ 12:50pm

    I'm confused. Isn't this a violation of federal wiretap law? Or are they saying a MIM attach is legal? Seems a slippery slope...

    reply to this | link to this | view in chronology ]

  • identicon
    Just Passin' Thru, 5 Jan 2015 @ 7:03pm

    What about "right to privacy"

    If Gogo does business in California, I'd think they are violating the California Constitution's provision for citizen's "Right to Privacy". Perhaps someone will sue them.


    All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.


    Also, I'd think they are possibly violating other California laws, e.g.:


    Electronic Eavesdropping - California Penal Code sections 630-638. Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radio telephone, cellular radio telephone, cable or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7). It prohibits cable TV and satellite TV operators from monitoring or recording conversations in a subscriber's residence, or from sharing individually identifiable information on subscriber viewing habits or other personal information without written consent (section 637.5).


    There are dozens more... see the whole list: http://oag.ca.gov/privacy/privacy-laws

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jan 2015 @ 10:23pm

    MITM attacking everyone's Gmail and Facebook passwords is something I'd expect to see happen on a Chinese airliner. Not an American airliner.

    America certainly has changed since 9/11. I'd argue for the worse. Mimicking the Great Firewall of China is a step backwards in my book.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jan 2015 @ 3:48am

    #InternetCensorship

    reply to this | link to this | view in chronology ]

  • identicon
    Adam Troy, 3 Feb 2015 @ 2:28pm

    Acceptable Use Policies

    I have implemented this type of service for use in other corporations. All it does is decrypt the HTTPS packets in order to view the URL and log visits or block the transaction based on a certain set of rules. When you log into their WIFI, you have to accept their terms of service. As a part of this you are allowing them to see what websites you are going to.

    These devices do not look into the packets and store the information. All they do is log transactions. Gogo says they use it to shape traffic and that totally makes sense, they have a limited amount of bandwidth on an airplane (ten years ago this sounded like a far off dream) and in order to support more than one person on the flight they need to limit what kind of traffic goes across it.

    Please use your brains before crying conspiracy. It is a valid use of technology and I'm quite sure that many of your residential ISPs take advantage of this service.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 3 Feb 2015 @ 5:37pm

      Re: Acceptable Use Policies

      It is a valid use of technology and I'm quite sure that many of your residential ISPs take advantage of this service.

      Issuing phony SSL certificates is by no means a legitimate use of the technology.

      reply to this | link to this | view in chronology ]

  • identicon
    Michael G., 15 Mar 2015 @ 6:57pm

    they aren't doing this now

    I'm currently typing this on a Gogo service on AA. Both gmail and youtube have legitimate certificates from Google as of 3/15/15

    reply to this | link to this | view in chronology ]

  • icon
    USM (profile), 31 Jul 2017 @ 8:41am

    Unlimited wifi on all airlines

    US Mobile has an unlimited inflight wifi for $10/month.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.