Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Gogo Denies Using Fake Google Certificate to Spy on Passengers

Inflight Internet service provider Gogo has been caught using a fake Google SSL certificate, but the company says the certificate’s role is to prevent video streaming.

Inflight Internet service provider Gogo has been caught using a fake Google SSL certificate, but the company says the certificate’s role is to prevent video streaming.

The fake certificate was spotted last week by Adrienne Porter Felt, a member of the Google Chrome security team, after she accessed a page that had YouTube in an iframe. The researcher posted a screenshot with the details of the fake certificate issued by Gogo on Twitter.

Web browsers warn users when such certificates are detected. However, if the warning is ignored, the Internet traffic can be intercepted through man-in-the-middle (MitM) attacks.

In response to Felt’s post, Anand Chari, executive vice president and chief technology officer of Gogo, said his company takes customer privacy seriously.

“Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it,” Chari stated on Monday. “Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”

“We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience,” Chari added.

Felt has noted that Chrome users couldn’t have bypassed the browser warning without utilizing an override mode that she leveraged for testing purposes. However, the expert pointed out that there are better ways to throttle streaming.

“Unfortunately, this is not a new risk and is pervasive across the Internet. It is increasingly difficult for both end users and businesses to understand if secure communications can be trusted. It’s best if business providers like Gogo don’t complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek.

Advertisement. Scroll to continue reading.

“Last year, Facebook and Carnegie Mellon University found more than 6,000 forged certificates that represented Facebook, some of them were actively used by malicious software. Gartner’s conclusion that ‘certificates can no longer be blindly trusted’ from back in 2012 continues to play out in 2015. Not surprisingly, Intel expects the next major cybercriminal marketplace to be the sale of compromised digital certificates. Forged, compromised, and misused certificates and keys are a major threat that enterprises are only starting to grapple with. It’s clear, however, that bad guys know how to use them against us,” Bocek added.

The fact that Gogo is issuing fake SSL certificates might not be so alarming, but the company told the FCC in 2012 that it “worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests.” Civil liberties groups criticized the company for helping the government track users’ online activities.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

More People On The Move

Expert Insights