Gogo Inflight, the largest provider of Internet connectivity on airplanes, has issued fake SSL certificates to people using its service, a Google engineer discovered during a recent flight.
Gogo provides Internet services for multiple airlines, including American Airlines, Air Canada, Delta, United Airlines, and Virgin Atlantic. Gogo also offers in-flight texting and voice mail.
The security breach was discovered by Google Chrome security engineer Adrienne Porter Felt, during a flight on which she used Gogo’s in-flight Internet. Felt attempted to use Google services on the journey, only to find that the SSL certificate she received was being issued by Gogo instead of Google. Google tells Fast Company it is in direct contact with Gogo, and its team is investigating the issue.
For those unfamiliar with SSL (Secure Sockets Layer), it refers to a security protocol designed to create an encrypted link between a server and client, allowing sensitive information like credit card numbers and login details to be transmitted securely. In this case, it seems Gogo may have performed a man-in-the-middle security attack on its users–meaning any passwords etc. entered while using the service could have been compromised.
“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best Internet experience to the sky,” Anand Chari, Gogo’s chief technology officer, tells Fast Company. “Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure Internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo-equipped plane will have a consistent browsing experience.”
“We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience,” says Chari.
Users wanting to play on the safe side can use a secure VPN, and/or a tool like Tor, the free software and open network which helps defend users against traffic analysis.