Gogo, a noted provider of in-flight broadband Internet service, has been spotted serving a fake Google SSL certificate to fliers trying to access YouTube, effectively performing a Man-in-the-Middle attack against them.
The fact was discovered and publicly flagged by Adrienne Porter Felt, an engineer on Google’s Chrome browser security team.
In response to the question, Anand Chari, Executive Vice President and CTO of Gogo, explained that they are doing it in order to limit/block users from using video streaming services during the flight so that all users aboard can have a consistent browsing experience.
“Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic,” he said. “We can assure customers that no user information is being collected when any of these techniques are being used.”
But not all are ready to trust this statement. In April 2014, Kim Zetter reported that the company has shown it’s willing to do more than it’s necessary to help the US authorities and law enforcement in tracking users when needed and ordered – a move heavily criticized by civil liberties groups.
“Unfortunately, this is not a new risk and is pervasive across the Internet,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, commented this latest discovery.
“It is increasingly difficult for both end users and businesses to understand if secure communications can be trusted. It’s best if business providers like Gogo don’t complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications.”
“Last year, Facebook and Carnegie Mellon University found more than 6,000 forged certificates that represented Facebook, some of them were actively used by malicious software. Gartner’s conclusion that “certificates can no longer be blindly trusted” from back in 2012 continues to play out in 2015,” he also pointed out for Help Net Security.
“Not surprisingly, Intel expects the next major cybercriminal marketplace to be the sale of compromised digital certificates. Forged, compromised, and misused certificates and keys are a major threat that enterprises are only starting to grapple with. It’s clear, however, that bad guys know how to use them against us.”