Read this story on The Register

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

By Darren Pauli

Posted in Security, 6th January 2015 03:59 GMT

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

When uploading comments to the FCC, you can now include malware

And this is the agency that wants to regulate the internet

FCC taps the brakes on fudging US broadband speed amid senator fury

Tell me again why slower internet is a good thing?

Chill out about net neutrality, says FCC head, because mobile phones are great

Mobile World Congress All just part of a broader strategy

FCC: LEO ISPs A-OK

OneWeb gets green light to pipe internet through 720 orbiting satellites

FCC greenlights small cell free-for-all in the US

New rules wil lower requirements to build wireless cells

Sigh. Big Cable execs dominate FCC panel overseeing Big Cable's broadband upgrades

Deployment committee stacked with industry bods, says report

EFF vows to take up muni broadband cause after FCC denied

Digital crusaders warm up efforts to build city-owned networks

FCC under fire over TV, mobile broadband signal interference fears

Shouldn't that have been considered before you set up the auction?

Pai, Pai, Mr American spy: FCC supremo rips up privacy protections for broadband punters

No need for ISPs to tell you what info they're slurping up

Judges put FCC back in its box: No, you can't override state laws, not even for city broadband

Funnily enough, US regulator can't just do whatever it wants