Flyers who don't want their data intercepted by Gogo LLC, or unnecessarily fall into the hands of law enforcement, might want to reconsider using the inflight WiFi service after it was found to be using fake Google SSL certificates.
The practice, which essentially sets up a man-in-the-middle (MitM) attack of sorts, was discovered by Google engineer Adrienne Porter Felt, who logged into Gogo WiFi during a recent flight.
After seeing a telltale red “x” in her address bar, warning that the certificate for a site “was signed by an untrusted issuer,” Felt realized that Gogo, not Google, had signed it.
The engineer took to Twitter to question Gogo, tweeting “Hey @Gogo, why are you issuing *.google.com certificates on your planes?”
Felt's tweet drew speculation—and accusations—from other Twitter users regarding Gogo's motivations. One user that goes by the handle @monsters77 called the practice “nefarious,” while Dan Tentler, co-founder and chief technologist at Carbon Dynamics tweeted that the company's actions show “they MITM your connection and pipe absolutely everything to law enforcement. This has been documented.”
Indeed, Gogo has come under fire in the past for too readily offering law enforcement easy access to intercept data.
In a letter to the Federal Communications Commission (FCC) in 2012 Gogo noted that it “worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests,” which by its own admission exceeded the requirements of the Communications Assistance for Law Enforcement Act (CALEA). “Gogo then implemented those functionalities into its system design,” the letter said.
After Felt's discovery of the fake certificates, Gogo issued a statement from Anand Chari, Executive vice president and CTO at Gogo, saying the company takes customer privacy seriously and is “committed to bring the best internet experience to the sky.” Noting that the service “is working on many ways to bring more bandwidth to an aircraft.” To that end, currently the company does not support “various streaming video sites” and uses “several techniques to limit/block video streaming.”
An off-the-shelf solution used by Gogo “proxies secure video traffic to block it,” said Chari. “Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic.”