Gogo Inflight Internet is intentionally issuing fake SSL certificates
SSL/TLS is a protocol that exists to ensure there exists an avenue for secure communication over the Internet. Through the use of cryptography and certificate validation, SSL certificates make man-in-the-middle attacks (where a third party would be able monitor your internet traffic) difficult, so the transmission of things like credit card numbers and user account passwords becomes significantly safer. In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.
For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.
This presents itself as an extremely unacceptable action by Gogo which serves in-flight internet to a number of different national and international airlines, including Aeromexico, American Airlines, Air Canada, Japan Airlines and Virgin Atlantic, among many others.
Earlier this year, it was revealed through the FCC that Gogo partnered with government officials to produce “capabilities to accommodate law enforcement interests” that go beyond those outlined under federal law. It mentioned how it worked closely with law enforcement and directly baked spyware into their service. If that wasn’t bad enough, based on this revelation, Gogo is now intentionally attacking its user’s browsing sessions to remove any line of defense that a user may have, and based on their history, it cannot be trusted that it is being done for any legitimate reason.
While Gogo happily waves how heavily it mines its customer’s data and is willing to cooperate with governments and law enforcement groups, including undisclosed “third parties,” this method of mining goes beyond anyone would ever expect. Gogo is also offering in-flight texting and voicemail, and there is no doubt as to how Gogo will be handling the privacy and security elements of those as well.
If you have used Gogo in the past, it is worth considering that all of your communications, including those over SSL/TLS, have been compromised and that you should consider resetting your passwords– at least on Google. If you intend to use Gogo in the future, do so through the use of Tor or through a secure VPN.