dslreports logo
Report: GoGo Issuing Fake SSL Security Certificates

The GoGo in-flight broadband service is being accused of using fake SSL security certificates 30,000 feet in the air. The issue was discovered by Adrienne Porter Felt, an engineer working in the Google Chrome security team, who found that GoGo issued her computer their own SSL certificates when she accessed Google websites. In other words, GoGo is pretty clearly conducting a man in the middle attack on its paying customers.

Back in April, reports emerged that GoGo had struck a deal with intelligence agencies and law enforcement that goes well beyond what's required of the company by law. While GoGo has yet to officially comment, it's likely their lawyers hoped to lean on this portion of their end user agreement to justify the behavior:

quote:
You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement
I (and I'm sure countless others) have dropped a line to GoGo looking for an explanation of the decision.


Most recommended from 37 comments


ISurfTooMuch
join:2007-04-23
Tuscaloosa, AL

5 recommendations

ISurfTooMuch

Member

Google can stop this behavior within a day

All they have to do is block access to their sites from GoGo's IP address space and redirect customers to a page explaining what's going on. If they do that, GoGo will back off almost immediately.

hamburglar
join:2002-04-29
united state

2 recommendations

hamburglar

Member

Tworking?

Is that like twerking, at work?

jseymour
join:2009-12-11
Waterford, MI

2 recommendations

jseymour

Member

Too Bad An "IDP" Is Impractical

A long time ago, in a place far, far away, there was a thing called the Usenet Death Penalty. It's really too bad that the Internet "community" is so fractured, and so ruled by commercial interests, that an "Internet Death Penalty" couldn't be invoked on the likes of GoGo.

Jim
clone (banned)
join:2000-12-11
Portage, IN

2 recommendations

clone (banned)

Member

Throw the executives in prison for 20 years

If I were trying to impersonate Google and trying to trick end-users into thinking I was the software giant, I'd be in prison for "hacking" as soon as possible. Let's do the same to the executives who think it's OK to perform MITM attacks on end-users and say they are Google when they aren't. How's that sound?