Read this story on The Register

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

By Darren Pauli

Posted in Security, 6th January 2015 03:59 GMT

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

When uploading comments to the FCC, you can now include malware

And this is the agency that wants to regulate the internet

FCC gives Google's broadband balloons 'experimental license' in Puerto Rico

Project Loon gets its chance to beam relief broadband

FCC taps the brakes on fudging US broadband speed amid senator fury

Tell me again why slower internet is a good thing?

Vodafone's NBN plans may include voice-over-WiFi, virtual landlines

Carrier already this overseas, seeks Oz punters' opinions on 'NBN extras' plan, name

Is the FCC purposefully screwing up US school broadband projects?

Special report Answer: Yes, but it's hard to prove

FCC commish cites infamous porn ruling to slam shady US mobile competition report

How about we define the thing we're supposedly deciding on, queries Rosenworcel

Verizon whips out Big Johnson to lure FCC into axing US states' net neutrality, privacy rules

'Light touch' must be enforced with a heavy hand, says telco

Chill out about net neutrality, says FCC head, because mobile phones are great

Mobile World Congress All just part of a broader strategy

Robocall crackdown, choked Lifelines, and pole-climbing: Your new FCC rules roundup

Fresh round of overhauls, and some aren't happy about it

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now