Gogo Caught Forging SSL Certificates
Inflight internet connectivity provider Gogo has been caught forging SSL certificates and serving them to their customers. Flyer Adrienne Porter Felt tweeted a screenshot of the a forgery for Google. Her tweet: hey @Gogo, why are you issuing *.google.com certificates on your planes? Coincidentally, she is also a member of the Google Chrome security team.
Gogo released a statement about their forgery. By using the forged SSL certificates they are able to inspect the connection and filter out streaming video requests. According to Gogo, it impacts only some secure video streaming sites and does not affect general secure internet traffic. Unfortunately, Gogo is essentially performing a man-in-the-middle attack on their customers. The same capability that allows them to filter out video also allows them to snoop on any other secure content in the connection. While they claim to not to be collecting any user information, Gogo has undermined the security of the secure SSL connections by spying on their customers.
A user can avoid this situation by using a VPN, SSH tunnel or TOR. Without a secure method for preventing the snooping, a user must either accept or reject the fake SSL certificate. Gogo customers can reject the certificate, but they won’t get access to the site they are trying to reach either.