The Hacker News Logo
Subscribe to Newsletter

Gogo In-flight Internet issues Fake SSL Certificates to its own Customers

Gogo Inflight Internet issues Fake SSL certificates to its own Customers
Gogo — one of the largest providers of in-flight Internet service — has been caught issuing fake SSL certificates, allowing the inflight broadband provider to launch man-in-the-middle (MITM) attacks on its own users, view passwords and other sensitive information.

The news came to light when security engineer Adrienne Porter Felt, who works on Google Chrome’s security team, was served the phony SSL certificate while trying to connect to Google's video service YouTube. She noticed that the SSL certificate was signed by an untrusted issuer and wasn’t issued by Google, but rather by Gogo itself.

Felt publicly posted details about the spoofed certificate on Twitter and also provided a screenshot of the HTTPS certificate Gogo issued her when she visited YouTube. Felt tweeted, “Hey, @Gogo, why are you issuing *.google.com certificates on your planes?

Alike other unauthorized certificates, the fake Gogo certificate would generate warnings by virtually all modern browsers. But, if users click on the OK button without giving a damn look, what most of the Internet users do, the bogus credential would allow Gogo to decrypt any traffic passing between end users and YouTube.

Spoofing certificates, otherwise known as a man-in-the-middle (MITM) attack, is a technique most commonly used by cyber crooks in order to intercept sensitive data being sent between two systems.

In response to the incident, Gogo Chief Technology Officer Anand Chari issued a statement saying that the incident was down to the company's streaming video policy.
"Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky," the statement reads. "We have stated that we don't support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it."
"We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience."
Gogo Inflight Internet provides in-flight Wi-Fi and digital entertainment to many airlines including Delta, American Airlines, U.S. Airways, Aeromexico, Virgin Atlantic and Air Canada using a proprietary air-to-ground network. However, itself signing certificates for Google apparently harm its users’ secure browsing because certificates are basically designed to ensure online users that they are connecting to a genuine site and not an imposter.

Whatever innocent reasons the company has, spoofed certificates are by no means accepted because users’ traffic is something very sensitive. Well, Google is currently in contact with Gogo and is investigating the matter.

According to you, what could be the reason for providing phony certificates by the largest providers of in-flight Internet service ?? You can share your views below in comments.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.