Customers' privacy at risk of man-in-the-middle attack

Jan 6, 2015 08:50 GMT  ·  By

The Gogo web delivery service for air travelling has resorted to man-in-the-middle (MitM) tactics to shape the bandwidth in order to deliver customers a balanced browsing experience.

The company relies on a fake SSL (Secure Sockets Layer) certificate pretending to be from Google when the user navigates to video streaming websites of the company, such as YouTube.

SSL cryptographic protocol is used to encrypt communication over the web, allowing an open channel only between the client and the intended server. If an entity interposes between the two parties, it would function as a relay and have access to the unencrytped traffic exchanged between the client and the server.

Some video streaming services are not supported, need to be limited

The practice used by Gogo has been discovered by Adrienne Porter Felt, an engineer in the Google Chrome security team, who tackled the issue over Twitter, asking the company why they did it.

The explanation given by Gogo was that its network capacity was not mature enough to support video streaming and accessing this type of services had an impact on the browsing experience of all customers.

“Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it,” said in an official statement Anand Chari, Chief Technology Officer at Gogo.

The CTO also adds that the technique used to shape the bandwidth does not affect all video streaming websites and has no impact on the overall secure Internet traffic run through Gogo’s infrastructure. He assures that the main purpose for this MitM technique is to ensure a consistent Internet experience for everyone aboard a Gogo-equipped plane.

Getting between client and server is still a security risk

On the other hand, a fake certificate impersonating a Google service gives Gogo access to all the data sent from the client to the server and back, bypassing any protection imposed by the legitimate SSL certificates.

Of course, the presence of an untrusted certificate is flagged by the web browser, and in Chrome the user would have to go through multiple hoops to get to the content; but this does not happen with all web browsers and sometimes users do get through all the hoops to obtain what they want, despite the warnings.

The Gogo CTO assures customers that even if the service has the possibility to collect private information, this is not the case and the techniques used are simply intended to make sure that passengers who want access to the Internet during a flight benefit from a good experience.

Be this as it sounds, but the company’s reputation for respecting user privacy has already been tainted, as Gogo is among those entities that voluntarily exceeded the requirements of Communications Assistance for Law Enforcement Act (CALEA) and included capabilities that allowed monitoring by law enforcement agencies.

This was reported by Wired in April 2014, based on a letter sent in 2012 by Gogo to the Federal Communications Commission (FCC); the beginning of the second page relates the company’s willingness to exceed the CALEA requirement.