PSA: keep an eye on your SSL certs, no matter where you are...

Discussion in 'Travel Security' started by viguera, Jan 5, 2015.  |  Print Topic

  1. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    Lionell, Sammich, MX and 3 others like this.
  2. mattsteg
    Original Member

    mattsteg Gold Member

    Messages:
    3,276
    Likes Received:
    5,543
    Status Points:
    4,170
    I did not know this was not widely known. I'm not sure it's intentional or bad coding/process related to authenticating and redirecting to gogo, but this occurs regularly. Usually restarting the device or connection resolves the issue. Your browser should make it clear if you are using a valid certificate - if they were legitimately able to forge a "fake" certificate the suggested countermeasures would be worthless.
     
  3. MX

    MX Gold Member

    Messages:
    2,215
    Likes Received:
    4,805
    Status Points:
    2,545
    Is Gogo strictly a WiFi provider or do they potentially have access to plane's wired components (e.g. USB power ports)?
     
  4. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    Highly likely that Gogo is strictly a wifi provider. Airlines wouldn't give electrical access to them that easily.

    Plus, it would require significant work retrofitting access for Gogo.
     
  5. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    I have a flight in 2 days. Will check it out in greater detail. Seems like Gogo acted as an SSL CA and signed the Google SSL wildcard. The behavior exhibits closely to a forward proxy server. Which is most likely what Gogo is doing. However it's a poor choice of doing a self sign cert.
     
    Last edited: Jan 6, 2015
    Wandering Aramean likes this.
  6. anileze

    anileze Gold Member

    Messages:
    4,958
    Likes Received:
    12,782
    Status Points:
    10,675
    There is per-se no harm using a self-signed SSL. And in case of Gogo Inc, it is the last few feet :)
     
  7. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    Unless they're using their certs for everything else... And you think your gmail session is secure.
     
    anileze likes this.
  8. anileze

    anileze Gold Member

    Messages:
    4,958
    Likes Received:
    12,782
    Status Points:
    10,675
    But Google uses its own SSL, so Gmail is secure.
     
  9. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    How can it be secured if the certificate presented by https://mail.google.com is signed by Gogo and not by Google? The sole purpose of SSL/TLS is to assure you that the channel between you and the other side is secure. If the traffic is being altered so that when you browse youtube or gmail you're receiving a fake certificate, then you have to assume that all traffic over that channel could be compromised.

    And Gogo has admitted to doing this, albeit according to them it's for "traffic shaping" purposes, to prevent people from using youtube and suck up the limited bandwidth. They could have certainly gone about this different ways, other than creating a fake certificate for *.google.com signed by them.
     
    Lionell and anileze like this.
  10. anileze

    anileze Gold Member

    Messages:
    4,958
    Likes Received:
    12,782
    Status Points:
    10,675
    Okay, I misread and misinterpreted.
     
  11. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    On my mobile now so don't have further details but I heard that Gogo stopped pretending to be a CA for Google?
     
  12. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    I heard that as of this morning they're issuing valid, properly signed *.google.com certs.
     
    Sammich likes this.
  13. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    Good news. I'm assuming they resorted to other methods into limiting YouTube usage.
     
  14. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,503
    Likes Received:
    20,197
    Status Points:
    16,520
    If I was Google, I would have retaliated by redirecting all requests from Gogo to a static page that explained in easy to understand terms what the implications of Gogo's doing are... And then offer a one-click-button complaint form directed at Gogo's CEO. Not being able to access any Google services would quickly come to bite Gogo where it hurts.
     
    Lionell and Sammich like this.
  15. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    I haven't been in a gogo flight since this whole debacle started, but I'm thinking that they either switched to a hard block as before or are using some sort of traffic shaping that allows short videos (like vine or IG) while preventing the data hogs like youtube and Netflix.
     
    Lionell and Sammich like this.

Share This Page