Gogo Inc. provides in-flight broadband Internet service and other connectivity services for commercial and business aircraft, allowing it’s users to connect to the web and answer emails while they are on their flights. The service, which is offered at $59.95 a month for unlimited access ($49.95 for a single airline) or a one time payment of $16.00 for 24 hours of access, has recently been discovered serving fake/self issued SSL certificates to its users.
SSL, or Secure Sockets Layer, is a security technology for establishing an encrypted link between a server and a client – typically a web server, browser, or mail client. Due to its use of cryptography and certificate validation, real SSL certificates make “man in the middle” attacks (an attack in which a third-party is able to monitor your web traffic) much more difficult. The use of true SSL certificates makes the transmission of secure data like credit card numbers and passwords much safer, as well, as it forces the person attempting to gain access to that data to attack the SSL certificate first.
Gogo Inflight internet seems to be disregarding these precautions, however, and appears to be serving fake SSL certificates to its users. Adrienne Porter Felt, an engineer on the Google Chrome security team, discovered that she was being served Gogo SSL certificates instead of Google’s own while on a flight last Friday, and revealed this via Twitter:
— Adrienne Porter Felt (@__apf__) January 2, 2015
To clarify the tweet above: while *.google.com is the official certificate for YouTube, the issuer of 10.240.31.12 is not the official issuer, as well as the issuing organization is “Gogo”. Inspection of the true certificate shows that the real issuer is “Google Internet Authority G2”, but the dates are the same. There’s a number of reasons that this could be happening, but no matter what – doing this allows Gogo to see user data and usage outside of their bandwidth usage. Check out the real certificate below:
Many Twitter users responded to the tweet with various questions, which Adrienne promptly answered as well. The SSL cert was not used to redirect to/from the sign-up page, or to bypass Google Chrome pinning. While a fake/self issued cert could be used to do something like throttle streaming, there are significantly better ways to accomplish this without sacrificing user security. For a company that is serving pages to a massive number of people across Aeromexico, American Airlines, Air Canada, Japan Airlines, Virgin Atlantic, and many others, this is an action that is very much frowned upon by anyone who values their privacy online.
In July of 2014, it was revealed via legal FCC documentation that Gogo partnered with officials to produce “capabilities to accommodate law enforcement interests” which would allow them to reveal information that couldn’t be gained through normal investigation. That documentation also mentioned how Gogo worked with law enforcement to directly insert spyware into their access services. Combine that with the revelation that Gogo could potentially be using fake/self issued SSL certificates to “attack” its users’ browsing sessions in order to gain even more information to share or sell.
TechRaptor Note: If you have used Gogo in the past, it is definitely worth considering that all of our communications both over and off of SSL security could have been compromised and accessed by others. If you’ve used Gogo’s services, we highly recommend changing any passwords which were used during use of the services. For the time being, if you will be using Gogo services, we also recommend that you use a VPN or service like Tor to protect yourself.
Update 1/5/2015 12:30 PM – We have reached out to Gogo for comment, and got the following response:
Our Chief Technology Officer, Anand Chari, issued a statement on this:
“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”
The short version of the statement above states that they use proxies on streaming sites such as YouTube to throttle usage of streaming and maintain good speeds for all users of the service. While this is all the information that has been given, the discovery of this issue will likely bring more in the days to come.