In-flight Internet provider Gogo is inspecting its users’ traffic exchanged with secure sites by replacing those sites’ HTTPS certificates with self-signed ones.
The company argues that this procedure, which is technically a man-in-the-middle (MitM) attack, is only performed for some video streaming sites as part of its efforts to limit or block the use of such services.
The issue came to light after Adrienne Porter Felt, an engineer and researcher with Google’s Chrome security team, noticed a rogue HTTPS certificate when she tried to access youtube.com via Gogo’s Wi-Fi service during a flight.
Porter Felt posted a screen shot of the certificate issued by Illinois-based Gogo on Twitter asking the company why it had replaced YouTube’s real certificate. Her message sparked criticism of Gogo from other users.
The company responded Monday with a statement from its executive vice president and chief technology officer, Anand Chari.
“Right now, Gogo is working on many ways to bring more bandwidth to an aircraft,” Chari said. “Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”
Chari assured customers that no user information is being collected when such techniques are applied—an obvious concern with MitM traffic inspection. Because the company’s proxy system is positioned between the user and the sites whose certificate it replaces, it can see authentication cookies that can provide access to users’ accounts on those sites and other potentially sensitive information.
It’s not clear how efficient the use of this man-in-the-middle technique is at limiting video streaming, nor if it’s even necessary. When encountering a self-signed certificate, most browsers display an error and users have to manually agree that they want to continue to the website.
In the case of Google Chrome, which keeps a list of trusted certificates associated with popular sites, including youtube.com, as part of a mechanism called certificate pinning, the error is persistent and hard to bypass.
“Users can’t normally click through this particular warning,” Porter Felt said on Twitter. “You gotta know the secret sauce to force it to load the page.”
This means that for many users YouTube streaming won’t be just throttled, but completely blocked, and if that’s what the company aimed for, there are easier ways to achieve it without inspecting secure traffic.