Wi-Fi provider in aircraft injects false SSL certificate

Spread the love

Gogo, an inflight internet provider in the United States, intercepts connections to Google with a fake SSL certificate. This is probably done to restrict streaming. It is unknown whether this always happens and whether other websites are affected as well.

An employee of the Google Chrome security team noticed the injecting of the fake certificate when she was flying herself. She noted that Gogo injected its own certificate with domain names ending in ‘.google.com’. As a result, users can no longer trust that they have a secure, direct connection to Google’s servers, without Gogo watching.

The Google employee suspect that the fake certificate is injected to restrict streaming; users can stream music and movies from play.google.com. “But there are better ways to do this,” she wrote on Twitter.

It is not known whether Gogo also injects its own certificate into connections with other sites that generate a lot of data traffic through streaming, such as YouTube and Spotify. It is also not known whether Gogo always intercepts traffic, or, for example, only when the speed of the connection is compromised by streaming users. Gogo has not yet commented on the allegations.

It happens more often that fake certificates are issued. Technically this is possible, if a certificate authority can be found that is willing to cooperate: there are no technical measures to prevent the issuing of certificates for other people’s domain names. However, the impact is limited, among other things, by certificate pinning in Google Chrome: in that browser it is determined which certificate authorities are allowed to issue certificates for different domain names, including those of Google. If another certificate authority issues a certificate for Google, the browser will sound an alarm, which it did in this case.

hey @gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU

— Adrienne Porter Felt (@__apf__) January 2, 2015

You might also like
Exit mobile version