An engineer that works on Google Chrome’s security team has discovered that Gogo Inflight Internet is issuing fake SSL certificates.
According to a report by Neowin.net, Google engineer Adrienne Porter Felt discovered that she was being served an SSL certificate from Gogo when requesting YouTube. She noticed something was off when her browser indicated that the certificate was signed by an untrusted issuer.
Porter Felt tweeted a screenshot of the warning on Friday, asking Gogo why they would issue *.google.com certificates on its planes.
— Adrienne Porter Felt (@__apf__) January 2, 2015
By issuing false SSL certificates, Gogo is able to snoop on what users of its service are doing, likely without their knowledge. According to the report, Gogo has a cozy relationship with authorities, which makes its man-in-the-middle position even more troubling. Earlier this year, Gogo partnered with government officials to bake spyware in its service and produce “capabilities to accommodate law enforcement interests”, Neowin reports, going above and beyond what is legally required.
Gogo is one of few players in the airline internet market, providing internet connectivity services to a number of different airlines, including Aeromexico, American Airlines and Air Canada.
In a statement on its website on Monday, Gogo doesn’t specifically address Porter Felt’s concerns or reference its SSL certificate signing policies. Instead, it refers to its generic “streaming video policy.”
“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky,” Anand Chari, Executive Vice President and Chief Technology Officer of Gogo said in a statement. “Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”
Chari said that Gogo doesn’t collect user information.
According to a report by Fast Company, Google is currently in contact with Gogo and is investigating the issue.
In November, a group of researchers and technology companies, including Mozilla, banded together to work on a new initiative, called Let’s Encrypt, that will automatically issue and manage free certificates for websites, making it easier for websites to deploy HTTPS.