Connecting to the web on a flight this Friday, Google engineer Adrienne Porter Felt noticed something weird. When she logged in, there was a red X over the padlock by the URL bar, a sign that something was fishy. She was looking at the Google search page, supposedly protected by HTTPS, but the site wasn't what it seemed.
A successful HTTPS connection to google.com usually means you can be sure all the data had come from Google and no one had messed with it in transit. There's even a signed certificate to prove it — but that red X meant the certificate didn't check out, and when she looked closer, Felt realized why. The certificate wasn't signed by Google. It was signed by Gogo, the inflight Wi-Fi provider, which was pretending to be Google. The certificate was bogus. Gogo was spoofing its own customers and circumventing some of the most fundamental protections of the web.
hey @Gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU— Adrienne Porter Felt (@__apf__) January 2, 2015
"We don't support various streaming video sites."
Known as a man-in-the-middle attack, injecting malware into data from an otherwise innocuous site has become an increasingly common tactic and has led companies across the web to push for HTTPS encryption as the best way to stop the attacks in action. But that only works if users check the HTTPS certificates, and providers like Gogo don't actively lie to them about who's issuing the certificate for a given site. It's a particularly hot topic for Gogo after reports that the company is cooperating with law enforcement far beyond its legal obligations.
In a statement on the incident, Gogo chalked the incident up to the company's streaming video policy. "We have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming," the statement reads. "One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it." Faced with an HTTPS-protected site like YouTube, the only alternative would be blocking the site wholesale.
Still, it's an alarming practice, not least because it could be hijacked by a malicious third-party as an easy way to infect any connecting computers with malware. Put simply, Gogo is taking secure sites and breaking their security so as to more effectively market its service. That's a terrible idea for everyone involved.
1/5 3:00pm ET: Updated to include Gogo statement.