Gogo inspects secure Web traffic in attempt to limit in-flight video streaming

In-flight Internet provider Gogo replaces the HTTPS certificates on sites like YouTube with self-signed ones

In-flight Internet provider Gogo is inspecting its users' traffic exchanged with secure sites by replacing those sites' HTTPS certificates with self-signed ones.

The company argues that this procedure, which is technically a man-in-the-middle (MitM) attack, is only performed for some video streaming sites as part of its efforts to limit or block the use of such services.

The issue came to light after Adrienne Porter Felt, an engineer and researcher with Google's Chrome security team, noticed a rogue HTTPS certificate when she tried to access youtube.com via Gogo's Wi-Fi service during a flight.

Porter Felt posted a screen shot of the certificate issued by Illinois-based Gogo on Twitter asking the company why it had replaced YouTube's real certificate. Her message sparked criticism of Gogo from other users.

The company responded Monday with a statement from its executive vice president and chief technology officer, Anand Chari.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft," Chari said. "Until then, we have stated that we don't support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience."

Chari assured customers that no user information is being collected when such techniques are applied -- an obvious concern with MitM traffic inspection. Because the company's proxy system is positioned between the user and the sites whose certificate it replaces, it can see authentication cookies that can provide access to users' accounts on those sites and other potentially sensitive information.

It's not clear how efficient the use of this man-in-the-middle technique is at limiting video streaming, nor if it's even necessary. When encountering a self-signed certificate, most browsers display an error and users have to manually agree that they want to continue to the website.

In the case of Google Chrome, which keeps a list of trusted certificates associated with popular sites, including youtube.com, as part of a mechanism called certificate pinning, the error is persistent and hard to bypass.

"Users can't normally click through this particular warning," Porter Felt said on Twitter. "You gotta know the secret sauce to force it to load the page."

This means that for many users YouTube streaming won't be just throttled, but completely blocked, and if that's what the company aimed for, there are easier ways to achieve it without inspecting secure traffic.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyGooglesecurityencryptionGogoprivacy

More about gogoGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts