Gogo Inflight Internet is intentionally issuing fake SSL certificates

Posted on by

In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.

For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.

via Gogo Inflight Internet is intentionally issuing fake SSL certificates – Neowin.

Issuing fake SSL certificates is clearly a deceptive practice that should be illegal for providers of wifi.  This article shows a good reminder that an attacker must get your permission from your system to grant the fake certificate and pop up windows explaining this on most systems are very clear.  Never click yes when this window pops up unless on a secure network with prior knowledge as to the purpose for the certificate issuance.

Past reports on Gogo from this blog here and here.

Apparently Gogo’s Terms of Service may claim hijacking SSL connections is an acceptable form of “filtering.”   Beware of any open wifi system that does this.  It’s bad enough with third party script kiddies hijacking your sessions let alone the provider of your network.

Acknowledgement of Filtering and Restriction of Access to Pornography or Other Offensive or Objectionable Material. You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement, including, but not limited to, those activities that may subject Gogo or its customers to liability or danger, or material that may be obscene, lewd, lascivious, filthy, excessively violent, pornographic, harassing, or otherwise objectionable.