The largest inflight Internet provider Gogo is under fire after a Google Chrome security engineer took to Twitter her discovery of the service issuing fake SSL certificates.
During a recent flight, Adrienne Porter Felt (@__apf__) noted that while accessing Google sites, the SSL certificate was actually being issued by Gogo – an “unstrusted issuer “ – instead of Google.
hey @Gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU
— Adrienne Porter Felt (@__apf__) January 2, 2015
Without the secure encryption that SSL/TLS protocols are intended to serve, Porter Felt’s information – along with numerous other passengers’ – could have been potentially monitored by Gogo.
The Wi-Fi service is currently offered on multiple national and international airlines, including Aeromexico, American Airlines, Air Canada, Delta, United Airlines, as well as Virgin Atlantic. Additionally, Gogo also provides customers in-flight texting and access to voice mail.
Google reported it is in direct contact with Gogo and is further investigating the issue.
In response to much criticism and allegations of these man-in-the-middle attacks, Gogo’s Executive Vice President and Chief Technology Officer Anand Chari issued a statement on Monday, saying:
Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it … it impacts only some secure video streaming sites and does not affect general secure internet traffic.
Chari added Gogo uses these techniques to assure that inflight Internet users have a consistent browsing experience. “We can assure customers that no user information is being collected when any of these techniques are being used,” said Chari.
While Gogo may not be using the technology to pry into personal data, proxying secure connections potentially introduces SSL bugs like POODLE, which could allow someone else to access private data, explained Tripwire security researcher Craig Young.
“Although it does not look like Gogo is intercepting all SSL traffic, users of the service who are conscientious about their privacy should consider using a VPN to tunnel traffic through a secure endpoint,” said Young.