Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet

In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming 163

Amanda Parker writes In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer's privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter. From the article: "The image clearly shows that Gogo signed the certificate, not Google, thus misleading customers and opening the door to malware on users' devices. It also serves as a way to throttle data and limit traffic on its networks. 'Gogo takes our customer's privacy very seriously and we are committed to bringing the best Internet experience to the sky,' CTO Anand Chari said in a Monday statement."
This discussion has been archived. No new comments can be posted.

In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming

Comments Filter:
  • by sycodon ( 149926 )

    These fuckers need to stop selling shit they can't support. If I pay for band width, I need to have it when I want it, for whatever I want it for.

    And don't give me any of this "Up To" bullshit. They should be required to indicate what the average speed you are buying is.

    • by AuralityKev ( 1356747 ) on Wednesday January 07, 2015 @05:35PM (#48759709)
      There's no competition there - I think it'd be fine to be perfectly up front to say something like "While we're screaming across the earth defying gravity at 750 miles per hour, we do not have the ability to provide enough bandwidth so that everyone may watch Netflix. Streaming video sites are not accessible. You don't like it, don't buy it."
      • I wish they went 750! Unfortunately, it seems most travel at about ~450 these days to save fuel. Maybe that will change with falling oil prices, but as long as ticket price is king, probably not.

        • More flights means moving more passangers per plane - money saved on plane rental, staff, maintenance.

          No-one expects oil to stay this cheap forever though. It's just a matter of how long.

      • by jonnythan ( 79727 ) on Wednesday January 07, 2015 @06:24PM (#48760129)

        They could say something like this:

        Bandwidth at 30,000+ feet is inherently limited, and heavy-load activities like streaming videos from the ground can weigh down our network. That means playback is subject to poor video quality, buffering, and slower connection speeds for your fellow passengers.

        Oh wait. That's exactly what they say. They're very up-front about not being able to stream video.

        • That's blatant misrepresntation of the problem and of what GP said. There's a difference between blocking completely and throttling uaing shady methods.
        • by thegarbz ( 1787294 ) on Thursday January 08, 2015 @05:09AM (#48763063)

          People are getting their panties in a twist about the contract rather than the real kicker. There are many more suitable ways to prevent streaming like QoS, blacklists etc. Instead they choose to MITM an encrypted connection.

          I don't care what they say. They are completely in the wrong and I'm sure if you read the laws carefully enough what they are doing is likely illegal as they have more than 3 letters in their name.

      • There's no competition there - I think it'd be fine to be perfectly up front to say something like "While we're screaming across the earth defying gravity at 750 miles per hour, we do not have the ability to provide enough bandwidth so that everyone may watch Netflix. Streaming video sites are not accessible. You don't like it, don't buy it."

        Everything people hate about business is Marketings fault in my opinion. Honesty doesn't make sales.

      • They do.

        They make it very clear that streaming video is unacceptable and not allowed.

    • I'm OK with ISPs offering speed variation through the day, based on demand. Why limit my speed to 10 Mbps at 4am if you can offer 100 Mbps at no additional cost? Just don't limit the speed according to the service/application/port number/web site I use. An ISP is a dumb pipe and my bytes should get the same priority as anyone else's.
      • Should they? If you're playing an online video game, should your bytes have the same priority as someone who is trying to download a 10Gb file? Or someone who's computer is performing an automatic update? Or someone who's streaming music?

        If your answer is yes, I have to ask, why?
        • Comment removed based on user account deletion
        • Each *user* believes their use is important and essential to them. The idea that someone gets a better experience downloading updates just because their device is an Xbox versus a Playstation versus a SteamBox, versus a PC, versus someone trying to watch Netflix or YouTube, versus someone trying to Skype call someone else, versus someone trying to ScreenHero someone else or browse the web for that matter is irrelevant. Each person feels that their money entitles them to equal service to their neighbors who
          • It's not really a matter of "more important", it's a matter of latency (think "ping time").

            If I'm using VOIP, or playing an online game, then it's important that I get low latency. If I'm downloading 10GB or a game update, latency doesn't matter. Therefore, when there's a batch of packets ready to go, it makes sense to send the low-latency ones first, and give priority to following low-latency packets. There does have to be some way to prevent a high-bandwidth operation from having uniformly low laten

            • If everybody has the same right to get reduced latency for certain things, the system remains fair.

              No it's not. My 10GB download shouldn't be slowed down by someone else doing 10GB of video game. If the latency is too bad so that online games are not playable, then the network should be upgraded. Also it's impossible to implement. You can't detect if trafic is gaming or not. You can't detect if it's VoIP or not. Don't tell me that you only have to whitelist xbox live and SIP as there are thousands of game and VoIP protocols.

        • Absolutely, because everyone paid the the same for the same service.

          It's perfectly possible to do per-user load balancing. If you advertised "up to 100 Mbps, speeds may be lower at peak times" and then oversold a 1 gig link to 100 people, then prioritize the first 10Mbps of each user's packets. Everyone's online games, VoIP traffic, streaming music, web browsing, and email will work perfectly. That one guy who's streaming 5 HD Netflix movies will have to suck it up. The guy who's torrenting will get 50Mbps

        • If you're playing an online video game, should your bytes have the same priority as someone who is trying to download a 10Gb file?

          If that's what you are selling - yes, whoever gets in first clogs the pipe. As for why, if you promised raw bandwith and not details it's about keeping a promise.
          However if you tell the customers that certain traffic gets bumped up in priority and they agree to remain your customers then go for whatever QoS scheme you want. It's perfectly acceptable in workplaces for instance

          • No consumer broadband ISP promises raw bandwidth without prioritisation on their cheapest ($/GB, $/Mbps) prices.

            Why? Because it's impossible to ensure everyone can get DNS responses while 20% of the users are flooding the network with as many P2P packets as they can.

        • Yes. And why not? If I pay the same price for the same service, why should I get a different priority for my packets? In the end, if we all use 10GB over the same amount of time, we each cost the same to the ISP.
        • Yes. your question has only a few limited scenarios - there are many many more that could be listed - trying to reasonably rank those without context is completely unreasonable. Even looking at your examples I'm having a hard time figuring out what order to try to rank those options in - I'm sure there would be as much agreement as with selecting pizza toppings.

          A good ISP (there aren't many) should announce their average upload download rates and paying users should expect to experience those numbers regar

    • I paid for some GoGo on a flight recently. The signup page made it pretty clear that data speeds were pretty limited and I wasn't allowed to stream video. I don't know why they need to spoof certs for that as opposed to just blocking sites or protocols though. Maybe they do some sort of data compression on the ground before transmitting to the plane or something?

      • by Anonymous Coward

        They limit you to a 1mbps 802.11b connection. They perform further rate limiting on packets going in and out of the plane, however I was able to transmit voice clearly and low bandwidth (~384kbps) video on my last gogo flight. The price hikes have been enough for me to put away the laptop while flying, but for 4+ hour flights i still break out my raspberry pi and offer streaming video to others on the plane

      • by dbIII ( 701233 )

        I don't know why they need to spoof certs

        Because outright fraud was more convenient than blocking.

        If it wasn't happening on a computer we'd be seeing people getting dragged into court instead of the casual acceptance of fraud we see around a lot of SSL issues.

    • They cannot call their service "Internet". This goes for any company that messes with packets, discriminates, blocks ports, or in any way defeats standard protocols.

    • by pepty ( 1976012 )

      These fuckers need to stop selling shit they can't support.

      Before you pay for it Gogo asks you not to use it to stream video or use other high bandwidth applications.

  • Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.
    • You're not thinking like someone who has to deal with the general public.

      People who read slashdot can easily rattle off some semi-accurate estimates for how much bandwidth a particular online activity consumes. Load BBC News? Less than 1mb (I hope). Listen to a streamed MP3 of a pop hit? Probably 3-4mb. Watch a 40 second video? Maybe 5-8 megabytes. Windows update? Errrmm ..... maybe 20-30? Stream a full TV episode. Multiple gigabytes.

      None of this means anything to your average flyer. They don't think in uni

      • It seems like a bad precedent to allow a company to impersonate another. I'd rather they throttle people to 256K each and let the performance lag weed out the excess usage naturally.

        • They aren't allowed to impersonate another company, I suspect that's rather the point. Look at the screenshot: the HTTPS indicator was crossed out. I guess you have to click through a big fat warning to get there ..... and I'm surprised it's even possible at all. I thought YouTube was SSL pinned. Maybe it's just google.com

        • one word (well, maybe two):

          STINGRAY

          god damned fucking cops enjoy using fraud to spy on us. they could not care less about our little laws and rules.

          and yet, this company is doing pretty much the same thing. they are not cops so they will not get away with it.

          but it stinks, no matter WHO does the frauding.

          oh, and almost every company that gives employees laptops also frauds them, as they install custom mitm certs so they can spy on your comms while you use their laptop.

          when will all this shit end???

      • You're not thinking like someone who has to deal with the general public.

        People who read slashdot can easily rattle off some semi-accurate estimates for how much bandwidth a particular online activity consumes. Load BBC News? Less than 1mb (I hope). Listen to a streamed MP3 of a pop hit? Probably 3-4mb. Watch a 40 second video? Maybe 5-8 megabytes. Windows update? Errrmm ..... maybe 20-30? Stream a full TV episode. Multiple gigabytes.

        In my experience a episode of 20 minutes at 720p is about 700mb and 480p of same length it 350mb but varies with format and encoding.

      • Multiple gigs for a TV episode? Even a ripped HD Blueray is 4-9GB, a 720 HD show might be around 800-1000mb. Most shows I download are around 200-400mb. Even an entire season of normal resolution TV is around 7-10gb. If I was GoGo, update.microsoft.com would be blocked permanently, since it's just stupid for anyone to update critical files while in an airplane. Some updated are up to 500gb in total, especially when its DirectX, .net, etc. But I guess if your streaming full HD, non-compressed video then s
    • Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.

      My guess is that they want to control the advertisements you see, even on encrypted pages and that the CTO is blowing smoke because he doesn't want to tell you this (and/or really doesn't know how all this works). If they *really* are trying to filter https bandwidth, this was a sorry way to do it. Not only is it ineffective and not very simple, it is risky for the customer.

      Right now, GoGo needs to have it's certificates yanked by the authority they use, or if they are self signed, GoGo needs to be remov

  • by gatfirls ( 1315141 ) on Wednesday January 07, 2015 @05:32PM (#48759679)

    Why would they do all that instead of just put access lists at the edges?

    • YouTube / Google makes this particularly hard for them. Google uses the same IP range for most of its services. Blocking Google Search is a non-starter. But that means that you cannot block YouTube by IP address. Ok, so you simply block requests to youtube.com (and its other country specific variations). There are two issues however, getting around this is as easy as `nslookup youtube.com 8.8.4.4` and assuming you do catch the DNS request, you cannot send back an error response because YouTube is now co

    • by AmiMoJo ( 196126 ) *

      Since YouTube switched to HTTPS it has become hard to block/throttle just the videos with an access list. They could invest in some DPI to do it, but they found a cheaper way. Send a bogus certificate and MITM the connection, throttling only the video stream while leaving the rest of the site responsive.

      YouTube automatically adjusts the video quality based on the available bandwidth. This way they can keep the site loading quickly, but throttle the video down to 240p.

  • by AuralityKev ( 1356747 ) on Wednesday January 07, 2015 @05:32PM (#48759683)
    Come on, just set QoS so that nobody can stream anything if you're concerned about bandwidth. Don't do some shady impersonation black hat shit to appear that it's not YOU being a bandwidth miser. It's not like there's a whole lot of competition inside each aircraft. AT&T or Verizon isn't following in a jet 2 nautical miles back with a signal booster just asking your passengers to log in to them for a nominal fee.
    • what's wrong with streaming? Why should a user using 1GB visiting web pages should get more priority than another user streaming a 1GB video?
      • by Feral Nerd ( 3929873 ) on Wednesday January 07, 2015 @06:22PM (#48760105)

        what's wrong with streaming? Why should a user using 1GB visiting web pages should get more priority than another user streaming a 1GB video?

        There is nothing wrong with streaming, but is there something wrong with bandwidth rationing to ensure that all the customers on your plane have the same same share of a a limited resource? The guy using web pages trying to plan activities at his destination is never going to download 1Gb of data during a flight just browsing websites, while a dozen streaming users might hog all the bandwidth over a limited connection ruining the experience for everybody else on the plane. Gogo claims they are doing this in order to be able to prevent bandwidth hogs from using encrypted connections to bypass their bandwidth rationing mechanism but I don't really get why that is necessary. Surely you can bandwidth limit an encrypted connection without having to know what is being transmitted over that connection, so if somebody is streaming a video on full HD over SHTTP they'd simply get a poor frame-rate without GoGo ever needing to know what they were viewing.

        • by AK Marc ( 707885 )

          There is nothing wrong with streaming, but is there something wrong with bandwidth rationing to ensure that all the customers on your plane have the same same share of a a limited resource?

          In practice (under a system like Gogo is using), the guy FTPing a 1GB video from home will see better performance than someone watching the same thing on Youtube. You are defending that practice, while saying equality is good. I can't figure out what you actually mean.

        • Good grief, I have no problem with rationing bandwidth. Especially as you state, because the plane is going to have limited bandwidth and lots of connections competing. There are very effective ways of rationing bandwidth without hijacking user sessions without their knowledge, which is what this service is doing. Their method is not the cheapest, nor the easiest way to do this. It's like Motorola, who did the same thing and got busted. I will never, ever, buy a motorola device because of it. Just lik

    • by sycodon ( 149926 )

      Ya well, they want the COMMERCIALS to stream.

      Fuck, most of the time the commercials are the only things that do get through throttling schemes.

    • Unregulated monopoly? Aren't they illegal, or was that only in the '30s?
      • Unregulated monopoly? Aren't they illegal, or was that only in the '30s?

        No, neither. Monopolies are (and were) only barred from leveraging their position to harm competition, or customers. If they just keep operating normally after they become a monopoly, and don't "pull anything," then there is no problem.

    • I would imagine they're using some sort of bandwidth optimisation between ground and plane (something like a Riverbed, perhaps). They could do the same with encrypted packets, but the hit rate on those is practically zero, so they'd get no gain. Instead, they decrypt on the ground, compress the stream and send it up to the plane, which uncompresses the stream, re-encrypts whatever it needs to and sends it out the clients. They obviously can't use the original cert for that re-encryption, so they use their o

  • by phorm ( 591458 ) on Wednesday January 07, 2015 @05:36PM (#48759717) Journal

    Why would this even be needed for throttling? If you don't want a customer downloading at more than 256kbps, then throttle him or her to 256kbps (or whatever).
    If you don't want a given connection at more than 256kbps, then throttle each connection at 256kbps

    Hell, if you *just* want to throttle youtube, then have your DNS hosts respond with an address you control for all youtube requests and throttle that one (then NAT through the actual traffic without breaking encryption).

    There seems to be very little benefit in decrypting SSL for throttling purposes, and a lot more benefit in viewing users' private correspondence (emails, G+, whatever else uses that certificate chain).

    • I'm guessing the real reason is so they can do some sort of compression between the ground and aircraft. Lossy compression of Facebook and Google images could save a good bit of bandwidth, and they can't do that without intercepting the unencrypted data using this method.

      • I like your idea, but why don't they just say that? There is also the prospect of inserting their own ads, which seems likely too.

        As it stands that CTO guy sounds like a buffoon who is trying to hide something.

      • Compression and/or caching.

      • by rwa2 ( 4391 ) *

        This. Yes, the "right" way is just to block YouTube.com entirely.

        The way they've implemented it allows you to still read YouTube for the comments (snicker), or maybe edit videos or search and bookmark links to view later. I suppose now they're sorry that they tried to do you a favor.

    • by slazzy ( 864185 )
      I guess they want to allow faster speed so that webpages load quicker and such. Another way to approach that would be to throttle at 256kbps or so, but allow bursting for a few seconds to a higher speed.
    • by AmiMoJo ( 196126 ) *

      We need to keep reminding people that a VPN is pretty much mandatory for public internet access like wifi.

    • by cshay ( 79326 )

      I suspect the special issue here is they don't want ANY of some types of streaming, even if it low bandwidth. So they want to be able to inspect what is being sent across. You can stream audio at relatively low bandwidth, and so if they simply throttled the bandwidth that may allow people to make a phone call, which is a huge no no on most carriers.

  • by idontgno ( 624372 ) on Wednesday January 07, 2015 @05:40PM (#48759751) Journal

    2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).

    It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.

    • by mjwx ( 966435 )

      2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).

      It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.

      This is why no-one reads the article.

  • It feels like they're just using a cheap solution to control their bandwith. (Maybe weight of equipment plays a significant role in these applications, too.)

    Or they may be bad. I don't know. Either way it's a no go; think of something better.
    • I dont see why equipment should matter, they could just do the MITM wherever they downlink to rather than in-aircraft.

    • It feels like they're just using a cheap solution to control their bandwith. (Maybe weight of equipment plays a significant role in these applications, too.) Or they may be bad. I don't know. Either way it's a no go; think of something better.

      My bet is that they think #1 is true, but given my experience with them it really is that they are that bad at network management... Well that and they thought nobody would notice them doing this when they tried to get away with something.

    • by AK Marc ( 707885 )
      Reading some of the comments, I think that they are doing it to "control bandwidth" in that they have proxy or compression happening on the plane. And the traffic must be unencrypted for that to work. And the CTO is an idiot for not knowing what it's doing and why, making his company look bad.
  • by thisisauniqueid ( 825395 ) on Wednesday January 07, 2015 @06:01PM (#48759925)
    There's no reason they need to decrypt connections to throttle them. Throttling after a threshold data burst rate over a sustained period of time would be sufficient.
    • by AmiMoJo ( 196126 ) *

      The problem with that method is that it will cause the video to pause and stutter. If they can throttle it from the very beginning YouTube will automatically select the lowest possible quality stream and then play it back without any issues.

      Also, bursts tend to screw up latency sensitive applications like VOIP and video chat.

  • by bobbied ( 2522392 ) on Wednesday January 07, 2015 @06:13PM (#48760035)

    Isn't this a classic man in the middle attack, where somebody is issuing bogus site certs using authority they really don't legally have? Who is their certificate authority?

    Wouldn't this be a violation of their CA agreement? I mean, signing certs for websites that YOU don't own or control is surely a way to get either busted by the authority that issued your signing keys, or if you are your own authority, get yourself removed from everybody's "trusted authority" lists.

    At the very LEAST their certs should be revoked along with their authority to create more... And It should happen NOW.

    • by Ancil ( 622971 )

      Did you even glance at the linked screenshot?

      The certificate is signed by some random, internal IP address. No browser would think it's a valid in the first place.

      • Actually, no, the web filters her at work prevent me from looking at that page. We actually DO https proxies here for a valid reason.

        So, then GoGo needs to be summarily slapped and told to stop doing this kind of thing and the CTO needs to issue a statement that actually explains what they thought they could accomplish by USING said scheme.

        In the mean time, somebody should generate a US-CERT warning for this...

  • by steelfood ( 895457 ) on Wednesday January 07, 2015 @06:20PM (#48760091)

    This is why we need cert pinning. I use CertPatrol on Firefox currently. Even if I can't do anything about MITM proxies, I know about it at least and adjust my surfing behavior accordingly.

    Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference." I have to take it on faith that the new cert is replacing an old, expiring cert (or a few months back, a SHA2 cert replacing a SHA1 cert). That, and Twitter and quite a few other sites use 50 different certs, distributed across five or six domain names. The constant pop-up gets real annoying, especially when their servers are slowly phasing to a new cert from an old one.

    • Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference."

      Or hey my cert got hacked and I need to install a new one...please believe me. I think what we need to do is push this out to the CAs probably using something similar to in-band OCSP to at least allow for unexpected changes while still locking down the hierarchy.

      • The approach taken by the http key pinning draft is to require sites using it to have at least one spare key. The spare key can then be used to order a new cert in the event that the main key is compromised.

        Of course if you were stupid/careless enough to get your spare key lost or stolen too then you have a problem :(.

  • Forgery? (Score:4, Interesting)

    by laughingskeptic ( 1004414 ) on Wednesday January 07, 2015 @07:11PM (#48760475)
    Under civil law, this is certainly a trademark violation. Is this a forgery under criminal law?
  • by roca ( 43122 ) on Wednesday January 07, 2015 @07:22PM (#48760551) Homepage

    One big problem here is that when "legitimate" services present invalid certificates, it teaches users to accept browser-provided "broken SSL" UI as a normal thing that they should just ignore. This is very harmful to Internet security in general.

  • If Gogo doesn't have the bandwidth to handle streaming video, they should just block the sites outright. Better to do that than to mess with it in this way.

  • I have to wonder if their essential decryption and interception of content couldn't be construed as a DMCA violation and wiretapping.

  • I was wondering why ALA stopped offering them altogether after the New Year's. I guess they knew something was coming ahead of time and didn't want their name to be pushed into the mudslinging to come.
  • by Opportunist ( 166417 ) on Wednesday January 07, 2015 @09:43PM (#48761469)

    By slipping phony certificates into a user's appliance you do compromise his security. Saying that you take it seriously is a blatant lie.

    So why the fuck should I believe anything else you said?

  • I see no problem in limiting bandwidth when necessary. The real problem is the mechanism, which is essentially fraud. It would be very surprising if Google couldn't legally stop another company from certifying themselves to be Google if they really are not. After all, corporations are people now, right?
  • As noted on the IETF bufferbloat list, they can support streaming, they just screwed it up (;-))

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...