Inflight Internet service provider Gogo has been caught using a fake Google SSL certificate, but the company says the certificate’s role is to prevent video streaming.
The fake certificate was spotted last week by Adrienne Porter Felt, a member of the Google Chrome security team, after she accessed a page that had YouTube in an iframe. The researcher posted a screenshot with the details of the fake certificate issued by Gogo on Twitter.
Web browsers warn users when such certificates are detected. However, if the warning is ignored, the Internet traffic can be intercepted through man-in-the-middle (MitM) attacks.
In response to Felt’s post, Anand Chari, executive vice president and chief technology officer of Gogo, said his company takes customer privacy seriously.
“Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it,” Chari stated on Monday. “Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”
“We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience,” Chari added.
Felt has noted that Chrome users couldn’t have bypassed the browser warning without utilizing an override mode that she leveraged for testing purposes. However, the expert pointed out that there are better ways to throttle streaming.
"Unfortunately, this is not a new risk and is pervasive across the Internet. It is increasingly difficult for both end users and businesses to understand if secure communications can be trusted. It’s best if business providers like Gogo don’t complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek.
“Last year, Facebook and Carnegie Mellon University found more than 6,000 forged certificates that represented Facebook, some of them were actively used by malicious software. Gartner’s conclusion that ‘certificates can no longer be blindly trusted’ from back in 2012 continues to play out in 2015. Not surprisingly, Intel expects the next major cybercriminal marketplace to be the sale of compromised digital certificates. Forged, compromised, and misused certificates and keys are a major threat that enterprises are only starting to grapple with. It’s clear, however, that bad guys know how to use them against us,” Bocek added.
The fact that Gogo is issuing fake SSL certificates might not be so alarming, but the company told the FCC in 2012 that it “worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests.” Civil liberties groups criticized the company for helping the government track users’ online activities.