Menu
Gogo inspects secure Web traffic in attempt to limit in-flight video streaming

Gogo inspects secure Web traffic in attempt to limit in-flight video streaming

In-flight Internet provider Gogo replaces the HTTPS certificates on sites like YouTube with self-signed ones

In-flight Internet provider Gogo is inspecting its users' traffic exchanged with secure sites by replacing those sites' HTTPS certificates with self-signed ones.

The company argues that this procedure, which is technically a man-in-the-middle (MitM) attack, is only performed for some video streaming sites as part of its efforts to limit or block the use of such services.

The issue came to light after Adrienne Porter Felt, an engineer and researcher with Google's Chrome security team, noticed a rogue HTTPS certificate when she tried to access youtube.com via Gogo's Wi-Fi service during a flight.

Porter Felt posted a screen shot of the certificate issued by Illinois-based Gogo on Twitter asking the company why it had replaced YouTube's real certificate. Her message sparked criticism of Gogo from other users.

The company responded Monday with a statement from its executive vice president and chief technology officer, Anand Chari.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft," Chari said. "Until then, we have stated that we don't support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience."

Chari assured customers that no user information is being collected when such techniques are applied -- an obvious concern with MitM traffic inspection. Because the company's proxy system is positioned between the user and the sites whose certificate it replaces, it can see authentication cookies that can provide access to users' accounts on those sites and other potentially sensitive information.

It's not clear how efficient the use of this man-in-the-middle technique is at limiting video streaming, nor if it's even necessary. When encountering a self-signed certificate, most browsers display an error and users have to manually agree that they want to continue to the website.

In the case of Google Chrome, which keeps a list of trusted certificates associated with popular sites, including youtube.com, as part of a mechanism called certificate pinning, the error is persistent and hard to bypass.

"Users can't normally click through this particular warning," Porter Felt said on Twitter. "You gotta know the secret sauce to force it to load the page."

This means that for many users YouTube streaming won't be just throttled, but completely blocked, and if that's what the company aimed for, there are easier ways to achieve it without inspecting secure traffic.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyGooglesecurityencryptionGogoprivacy

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments