I’m not a fan of in-flight Wi-Fi. I like the concept, but it costs too much for what you get. Now that I know that Gogo is also using rogue SSL certificates in a sort of man-in-the-middle attack to block access to certain sites, I am even less likely to spend any money on the service.
I wrote about the shady Gogo behavior in this blog post:
Gogo—a provider of in-flight Wi-Fi service on commercial airlines—admitted publicly that it is using fake SSL certificates for a man-in-the-middle attack that enables it to block customer access to certain sites. The admission is cause for concern on a couple levels, and undermines the public trust in SSL certificates at all.
The issue was initially made public thanks to a Google engineer who had issues playing a Youtube video while using the Gogo in-flight Wi-Fi. She noticed that the SSL certificate being used was not the legitimate SSL certificate for Youtube, but was instead a rogue certificate issued to Gogo.
Gogo CTO Anand Chari issued a statement explaining, “Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”
Chari goes on to stress that no customer information is being intercepted or collected, and that the man-in-the-middle attack is used strictly to allow Gogo to prevent customers from consuming excessive bandwidth by visiting streaming video sites in flight.
Check out the full story on CSOOnline: Gogo abuses certificate trust to limit access for in-flight Wi-Fi customers.