Menu
Gogo inspects secure Web traffic in attempt to limit in-flight video streaming

Gogo inspects secure Web traffic in attempt to limit in-flight video streaming

In-flight Internet provider Gogo replaces the HTTPS certificates on sites like YouTube with self-signed ones

In-flight Internet provider Gogo is inspecting its users' traffic exchanged with secure sites by replacing those sites' HTTPS certificates with self-signed ones.

The company argues that this procedure, which is technically a man-in-the-middle (MitM) attack, is only performed for some video streaming sites as part of its efforts to limit or block the use of such services.

The issue came to light after Adrienne Porter Felt, an engineer and researcher with Google's Chrome security team, noticed a rogue HTTPS certificate when she tried to access youtube.com via Gogo's Wi-Fi service during a flight.

Porter Felt posted a screen shot of the certificate issued by Illinois-based Gogo on Twitter asking the company why it had replaced YouTube's real certificate. Her message sparked criticism of Gogo from other users.

The company responded Monday with a statement from its executive vice president and chief technology officer, Anand Chari.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft," Chari said. "Until then, we have stated that we don't support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience."

Chari assured customers that no user information is being collected when such techniques are applied -- an obvious concern with MitM traffic inspection. Because the company's proxy system is positioned between the user and the sites whose certificate it replaces, it can see authentication cookies that can provide access to users' accounts on those sites and other potentially sensitive information.

It's not clear how efficient the use of this man-in-the-middle technique is at limiting video streaming, nor if it's even necessary. When encountering a self-signed certificate, most browsers display an error and users have to manually agree that they want to continue to the website.

In the case of Google Chrome, which keeps a list of trusted certificates associated with popular sites, including youtube.com, as part of a mechanism called certificate pinning, the error is persistent and hard to bypass.

"Users can't normally click through this particular warning," Porter Felt said on Twitter. "You gotta know the secret sauce to force it to load the page."

This means that for many users YouTube streaming won't be just throttled, but completely blocked, and if that's what the company aimed for, there are easier ways to achieve it without inspecting secure traffic.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyGooglesecurityencryptionGogoprivacy

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments