Controversial in-flight Wi-Fi provider Gogo has admitted using fake Google SSL certificates to block video streaming services while it improves on-board bandwidth.
The firm’s CTO Anand Chari was responding to claims by Google Chrome security researcher Adrienne Porter Felt that it issued *.google.com certs on its planes, effectively launching Man in the Middle attacks against its users.
He claimed that the fake certs were simply one of a number of techniques used to limit or block video streaming and that “no user information is being collected when any of these techniques are being used.”
He continued:
“One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the internet on a Gogo equipped plane will have a consistent browsing experience.”
However, commenters on the statement did not appear reassured, with several claiming the firm could block streaming in a way that’s more transparent and less problematic for user privacy.
The issue is doubly concerning for Gogo users given the company’s track record on user privacy.
Last year, it was reported that the firm voluntarily exceeded the requirements of the Communications Assistance for Law Enforcement Act – effectively cutting a deal with law enforcement which alarmed civil liberties groups.
Tom Gaffney, security advisor at F-Secure, explained that by issuing a fake certificate, Gogo could have controlled the data sent and received from a user’s device as per a classic MITM attack.
“There are much better ways of limiting streaming services, by monitoring requested addresses or protocols to check if streaming services are used. They could also restrict bandwidth per device,” he told Infosecurity.
“It may be that these kinds of solutions are too costly for Gogo and so they went with a seemingly easier method – a hack. Doing this is fundamentally wrong. Even if Gogo’s motivations are sincere this is the wrong way to fix the issue.”
Gaffney added that it would be well within Google’s rights to revoke the fake certificate issued by Gogo.