In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming

Amanda Parker writes In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer's privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter. From the article: "The image clearly shows that Gogo signed the certificate, not Google, thus misleading customers and opening the door to malware on users' devices. It also serves as a way to throttle data and limit traffic on its networks. 'Gogo takes our customer's privacy very seriously and we are committed to bringing the best Internet experience to the sky,' CTO Anand Chari said in a Monday statement."

Get What You Pay For

[sycodon]

These fuckers need to stop selling shit they can't support. If I pay for band width, I need to have it when I want it, for whatever I want it for.

And don't give me any of this "Up To" bullshit. They should be required to indicate what the average speed you are buying is.

Re:Get What You Pay For

[AuralityKev]

There's no competition there - I think it'd be fine to be perfectly up front to say something like "While we're screaming across the earth defying gravity at 750 miles per hour, we do not have the ability to provide enough bandwidth so that everyone may watch Netflix. Streaming video sites are not accessible. You don't like it, don't buy it."

Re:

[StikyPad]

I wish they went 750! Unfortunately, it seems most travel at about ~450 these days to save fuel. Maybe that will change with falling oil prices, but as long as ticket price is king, probably not.

Re:

[SuricouRaven]

More flights means moving more passangers per plane - money saved on plane rental, staff, maintenance.

No-one expects oil to stay this cheap forever though. It's just a matter of how long.

Re:Get What You Pay For

[jonnythan]

They could say something like this:

Bandwidth at 30,000+ feet is inherently limited, and heavy-load activities like streaming videos from the ground can weigh down our network. That means playback is subject to poor video quality, buffering, and slower connection speeds for your fellow passengers.

Oh wait. That's exactly what they say. They're very up-front about not being able to stream video.

Re: Get What You Pay For

[Kyogreex]

That's blatant misrepresntation of the problem and of what GP said. There's a difference between blocking completely and throttling uaing shady methods.

Re:Get What You Pay For

[thegarbz]

People are getting their panties in a twist about the contract rather than the real kicker. There are many more suitable ways to prevent streaming like QoS, blacklists etc. Instead they choose to MITM an encrypted connection.

I don't care what they say. They are completely in the wrong and I'm sure if you read the laws carefully enough what they are doing is likely illegal as they have more than 3 letters in their name.

Re:

[Agripa]

The photo shows that Gogo issued the fake certificate which is why the browser flagged it.

https://twitter.com/__apf__/st... [twitter.com]

Re:

[Charliemopps]

There's no competition there - I think it'd be fine to be perfectly up front to say something like "While we're screaming across the earth defying gravity at 750 miles per hour, we do not have the ability to provide enough bandwidth so that everyone may watch Netflix. Streaming video sites are not accessible. You don't like it, don't buy it."

Everything people hate about business is Marketings fault in my opinion. Honesty doesn't make sales.

Re:

[BitZtream]

They do.

They make it very clear that streaming video is unacceptable and not allowed.

Re:

[Damarkus13]

And they can't identify streaming video in any way other than breaking SSL for their users?

Re:

[danbob999]

I'm OK with ISPs offering speed variation through the day, based on demand. Why limit my speed to 10 Mbps at 4am if you can offer 100 Mbps at no additional cost? Just don't limit the speed according to the service/application/port number/web site I use. An ISP is a dumb pipe and my bytes should get the same priority as anyone else's.

Re:

[puzzled_decoy]

Should they? If you're playing an online video game, should your bytes have the same priority as someone who is trying to download a 10Gb file? Or someone who's computer is performing an automatic update? Or someone who's streaming music?

If your answer is yes, I have to ask, why?

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Get What You Pay For

[tysonedwards]

Each *user* believes their use is important and essential to them. The idea that someone gets a better experience downloading updates just because their device is an Xbox versus a Playstation versus a SteamBox, versus a PC, versus someone trying to watch Netflix or YouTube, versus someone trying to Skype call someone else, versus someone trying to ScreenHero someone else or browse the web for that matter is irrelevant. Each person feels that their money entitles them to equal service to their neighbors who

Re:

[david_thornley]

It's not really a matter of "more important", it's a matter of latency (think "ping time").

If I'm using VOIP, or playing an online game, then it's important that I get low latency. If I'm downloading 10GB or a game update, latency doesn't matter. Therefore, when there's a batch of packets ready to go, it makes sense to send the low-latency ones first, and give priority to following low-latency packets. There does have to be some way to prevent a high-bandwidth operation from having uniformly low laten

Re:

[danbob999]

If everybody has the same right to get reduced latency for certain things, the system remains fair.

No it's not. My 10GB download shouldn't be slowed down by someone else doing 10GB of video game. If the latency is too bad so that online games are not playable, then the network should be upgraded. Also it's impossible to implement. You can't detect if trafic is gaming or not. You can't detect if it's VoIP or not. Don't tell me that you only have to whitelist xbox live and SIP as there are thousands of game and VoIP protocols.

Re:

[Chandon Seldon]

Absolutely, because everyone paid the the same for the same service.

It's perfectly possible to do per-user load balancing. If you advertised "up to 100 Mbps, speeds may be lower at peak times" and then oversold a 1 gig link to 100 people, then prioritize the first 10Mbps of each user's packets. Everyone's online games, VoIP traffic, streaming music, web browsing, and email will work perfectly. That one guy who's streaming 5 HD Netflix movies will have to suck it up. The guy who's torrenting will get 50Mbps

If that's what you are selling - yes

[dbIII]

If you're playing an online video game, should your bytes have the same priority as someone who is trying to download a 10Gb file?

If that's what you are selling - yes, whoever gets in first clogs the pipe. As for why, if you promised raw bandwith and not details it's about keeping a promise.
However if you tell the customers that certain traffic gets bumped up in priority and they agree to remain your customers then go for whatever QoS scheme you want. It's perfectly acceptable in workplaces for instance

Re:

[buchanmilne]

No consumer broadband ISP promises raw bandwidth without prioritisation on their cheapest ($/GB, $/Mbps) prices.

Why? Because it's impossible to ensure everyone can get DNS responses while 20% of the users are flooding the network with as many P2P packets as they can.

Re:

[danbob999]

Yes. And why not? If I pay the same price for the same service, why should I get a different priority for my packets? In the end, if we all use 10GB over the same amount of time, we each cost the same to the ISP.

Re:

[binarybum]

Yes. your question has only a few limited scenarios - there are many many more that could be listed - trying to reasonably rank those without context is completely unreasonable. Even looking at your examples I'm having a hard time figuring out what order to try to rank those options in - I'm sure there would be as much agreement as with selecting pizza toppings.

A good ISP (there aren't many) should announce their average upload download rates and paying users should expect to experience those numbers regar

Re:

[jonnythan]

I paid for some GoGo on a flight recently. The signup page made it pretty clear that data speeds were pretty limited and I wasn't allowed to stream video. I don't know why they need to spoof certs for that as opposed to just blocking sites or protocols though. Maybe they do some sort of data compression on the ground before transmitting to the plane or something?

Re:

[Anonymous Coward]

They limit you to a 1mbps 802.11b connection. They perform further rate limiting on packets going in and out of the plane, however I was able to transmit voice clearly and low bandwidth (~384kbps) video on my last gogo flight. The price hikes have been enough for me to put away the laptop while flying, but for 4+ hour flights i still break out my raspberry pi and offer streaming video to others on the plane

Re:

[dbIII]

I don't know why they need to spoof certs

Because outright fraud was more convenient than blocking.

If it wasn't happening on a computer we'd be seeing people getting dragged into court instead of the casual acceptance of fraud we see around a lot of SSL issues.

Truth in Advertising

[Tokolosh]

They cannot call their service "Internet". This goes for any company that messes with packets, discriminates, blocks ports, or in any way defeats standard protocols.

Re:

[pepty]

These fuckers need to stop selling shit they can't support.

Before you pay for it Gogo asks you not to use it to stream video or use other high bandwidth applications.

Re:Get What You Pay For

[sycodon]

You lied when you sold it to the second user.

Re:

[puzzled_decoy]

If everyone saw a commercial for a Big Mac at McDonalds for only $1, McDonalds couldn't first make everyone pay for it, and then give everyone their burger- they would run out of burgers, but still have money for unfilled orders.

No matter whether it is a burger or bandwidth, you will have an order of sale and order of fulfillment. For physical goods, fulfillment comes immediately after sale. For something like bandwidth, the current mechanism is to continue to sell even if you cannot fulfill. This is wro

Re:

[dszd0g]

ISPs are like all you can eat restaurants. In your example it would be like an all you can eat restaurant making enough food for one person and letting 1 million through the door. They have to estimate what the average person eats and make sure there is enough food for everyone they let through the door.

The difference is that most all you can eat restaurants will start turning people away at the door when they know they are going to run out of food. ISPs just keep selling to more customers even when they

Re:

[nblender]

What the average person eats is much smaller than when a few people come in with coolers full of Tupperware containers and start raiding the 'all you can eat' saying "But you said all I can eat! You didn't say I had to eat it here and all in one sitting!"

A restaurant would quickly go out of business if they had to cater to a steady stream of people with big coolers..

Re:

[SuricouRaven]

There's always a perverse incentive. The obvious solution for a restraunt would be to start lowering the quality of the food to people consuming too much. On your fourth plate of prawns? Time to crank up the oven and serve the fifth overcooked and dry. The ISP counterpart would be to degrade service to heavy users - which is exactly what they do.

Re:

[IamTheRealMike]

In all of my years of being a network engineer, I've never heard of managing bandwidth that way and can't think of why someone would mange bandwidth that way.

Me neither but we have no idea what kind of filtering system you can install onto a plane.

My guess is that they can't filter by DNS lookup for some reason (people's devices have cached answers?) but they can do SSL rewriting, and for big sites like anything Google runs IP address blocking isn't useful because all their sites share IPs. They know browse

When were you last a network engineer?

[beanpoppa]

If you've been a network engineer in the past few years, you'd know exactly why you'd need to break SSL. Traffic prioritization used to just require looking at the TCP/UDP port- SMTP and FTP could be low priority, while HTTP was medium priority, and RTP was high priority. Then users started using non-standard ports, so you needed to look deeper- you start looking at the content-type header in HTTP. By doing this, you could still make the octet-stream and application-pdf low priority (file transfer) whil

Re:

[Chandon Seldon]

Nonsense. Comcast figured this out ages ago. For each TCP stream, you set the first 64k to be high priority and everything after that to be low priority. You declare UDP packets with the same (source, dest) to be a stream and do the same with those.

If you want to be more clever than that, you can favor constant rate low-bandwidth streams. This makes VoIP and gamering users happy.

Finally, you also track per user usage. The first X megs in an hour is default priority, and anything after that is progressively

Re:

[buchanmilne]

Most Network Engineers I know work with routers, switches, load balancers and firewalls, and want to run the latest Cisco/Juniper etc. and haven't worked in detail with DPI-based traffic management solutions, so they still think you need to MITM the traffic to identify it.

This [pastebin.com] is taken from a production DPI-based traffic management device for my traffic while the kids are watching youtube on XBMC (still need to upgrade to Kodi), and clearly shows that youtube on port 443 is easily identified.

(Tried to paste

Re:

[buchanmilne]

DPI doesn't need to berak SSL. Most broadband networks use DPI for managing traffic, and you don't get certificate validation problems when watching youtube.

Why?

[JamesRing]

Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.

Re:

[IamTheRealMike]

You're not thinking like someone who has to deal with the general public.

People who read slashdot can easily rattle off some semi-accurate estimates for how much bandwidth a particular online activity consumes. Load BBC News? Less than 1mb (I hope). Listen to a streamed MP3 of a pop hit? Probably 3-4mb. Watch a 40 second video? Maybe 5-8 megabytes. Windows update? Errrmm ..... maybe 20-30? Stream a full TV episode. Multiple gigabytes.

None of this means anything to your average flyer. They don't think in uni

Re:

[LessThanObvious]

It seems like a bad precedent to allow a company to impersonate another. I'd rather they throttle people to 256K each and let the performance lag weed out the excess usage naturally.

Re:

[IamTheRealMike]

They aren't allowed to impersonate another company, I suspect that's rather the point. Look at the screenshot: the HTTPS indicator was crossed out. I guess you have to click through a big fat warning to get there ..... and I'm surprised it's even possible at all. I thought YouTube was SSL pinned. Maybe it's just google.com

Re:

[Antique Geekmeister]

Very few people pay attention to the 'invalid SSL' warnings.

Re:

[IamTheRealMike]

That was true 10 years ago. These days browsers make them un-ignorable and in some cases like with HSTS unbypassable.

Re:

[Antique Geekmeister]

It's true today. Many of have to deal with internal corporate web services that do not have a signed SSL key, or deal with intervening proxies which we have no choice but to use in our environments.

Re:

[TheGratefulNet]

one word (well, maybe two):

STINGRAY

god damned fucking cops enjoy using fraud to spy on us. they could not care less about our little laws and rules.

and yet, this company is doing pretty much the same thing. they are not cops so they will not get away with it.

but it stinks, no matter WHO does the frauding.

oh, and almost every company that gives employees laptops also frauds them, as they install custom mitm certs so they can spy on your comms while you use their laptop.

when will all this shit end???

Re:

[lister king of smeg]

You're not thinking like someone who has to deal with the general public.

People who read slashdot can easily rattle off some semi-accurate estimates for how much bandwidth a particular online activity consumes. Load BBC News? Less than 1mb (I hope). Listen to a streamed MP3 of a pop hit? Probably 3-4mb. Watch a 40 second video? Maybe 5-8 megabytes. Windows update? Errrmm ..... maybe 20-30? Stream a full TV episode. Multiple gigabytes.

In my experience a episode of 20 minutes at 720p is about 700mb and 480p of same length it 350mb but varies with format and encoding.

Re:

[l0n3s0m3phr34k]

Multiple gigs for a TV episode? Even a ripped HD Blueray is 4-9GB, a 720 HD show might be around 800-1000mb. Most shows I download are around 200-400mb. Even an entire season of normal resolution TV is around 7-10gb. If I was GoGo, update.microsoft.com would be blocked permanently, since it's just stupid for anyone to update critical files while in an airplane. Some updated are up to 500gb in total, especially when its DirectX, .net, etc. But I guess if your streaming full HD, non-compressed video then s

Re:

[bobbied]

Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.

My guess is that they want to control the advertisements you see, even on encrypted pages and that the CTO is blowing smoke because he doesn't want to tell you this (and/or really doesn't know how all this works). If they *really* are trying to filter https bandwidth, this was a sorry way to do it. Not only is it ineffective and not very simple, it is risky for the customer.

Right now, GoGo needs to have it's certificates yanked by the authority they use, or if they are self signed, GoGo needs to be remov

Re:

[Anonymous Coward]

Airplanes. Engineers preparing presentations on new R&D. Accountants with financial data. Executives. All working on the flight. The potential for industrial espionage must be tantalizing.

I foresee a new directive in a lot of IT policies regarding laptops and travel and never using wifi on the plane (at least not without a VPN), not that the C-levels will pay attention.

Re:

[pete6677]

"I foresee a new directive in a lot of IT policies regarding laptops and travel and never using wifi on the plane"

I don't.

"not that the C-levels will pay attention"

For this exact reason.

Routing?

[gatfirls]

Why would they do all that instead of just put access lists at the edges?

Re:

[jfmiller]

YouTube / Google makes this particularly hard for them. Google uses the same IP range for most of its services. Blocking Google Search is a non-starter. But that means that you cannot block YouTube by IP address. Ok, so you simply block requests to youtube.com (and its other country specific variations). There are two issues however, getting around this is as easy as `nslookup youtube.com 8.8.4.4` and assuming you do catch the DNS request, you cannot send back an error response because YouTube is now co

Re:

[AmiMoJo]

Since YouTube switched to HTTPS it has become hard to block/throttle just the videos with an access list. They could invest in some DPI to do it, but they found a cheaper way. Send a bogus certificate and MITM the connection, throttling only the video stream while leaving the rest of the site responsive.

YouTube automatically adjusts the video quality based on the available bandwidth. This way they can keep the site loading quickly, but throttle the video down to 240p.

Well it's okay when WE do it...

[AuralityKev]

Come on, just set QoS so that nobody can stream anything if you're concerned about bandwidth. Don't do some shady impersonation black hat shit to appear that it's not YOU being a bandwidth miser. It's not like there's a whole lot of competition inside each aircraft. AT&T or Verizon isn't following in a jet 2 nautical miles back with a signal booster just asking your passengers to log in to them for a nominal fee.

Re:

[danbob999]

what's wrong with streaming? Why should a user using 1GB visiting web pages should get more priority than another user streaming a 1GB video?

Re:Well it's okay when WE do it...

[Feral Nerd]

what's wrong with streaming? Why should a user using 1GB visiting web pages should get more priority than another user streaming a 1GB video?

There is nothing wrong with streaming, but is there something wrong with bandwidth rationing to ensure that all the customers on your plane have the same same share of a a limited resource? The guy using web pages trying to plan activities at his destination is never going to download 1Gb of data during a flight just browsing websites, while a dozen streaming users might hog all the bandwidth over a limited connection ruining the experience for everybody else on the plane. Gogo claims they are doing this in order to be able to prevent bandwidth hogs from using encrypted connections to bypass their bandwidth rationing mechanism but I don't really get why that is necessary. Surely you can bandwidth limit an encrypted connection without having to know what is being transmitted over that connection, so if somebody is streaming a video on full HD over SHTTP they'd simply get a poor frame-rate without GoGo ever needing to know what they were viewing.

Re:

[AK Marc]

There is nothing wrong with streaming, but is there something wrong with bandwidth rationing to ensure that all the customers on your plane have the same same share of a a limited resource?

In practice (under a system like Gogo is using), the guy FTPing a 1GB video from home will see better performance than someone watching the same thing on Youtube. You are defending that practice, while saying equality is good. I can't figure out what you actually mean.

You don't need to run a MITM for Quotas

[s.petry]

Good grief, I have no problem with rationing bandwidth. Especially as you state, because the plane is going to have limited bandwidth and lots of connections competing. There are very effective ways of rationing bandwidth without hijacking user sessions without their knowledge, which is what this service is doing. Their method is not the cheapest, nor the easiest way to do this. It's like Motorola, who did the same thing and got busted. I will never, ever, buy a motorola device because of it. Just lik

Re:

[sycodon]

Ya well, they want the COMMERCIALS to stream.

Fuck, most of the time the commercials are the only things that do get through throttling schemes.

There's only this one ISP in the plane, see

[davecb]

Unregulated monopoly? Aren't they illegal, or was that only in the '30s?

Re:

[Aighearach]

Unregulated monopoly? Aren't they illegal, or was that only in the '30s?

No, neither. Monopolies are (and were) only barred from leveraging their position to harm competition, or customers. If they just keep operating normally after they become a monopoly, and don't "pull anything," then there is no problem.

Re:

[coofercat]

I would imagine they're using some sort of bandwidth optimisation between ground and plane (something like a Riverbed, perhaps). They could do the same with encrypted packets, but the hit rate on those is practically zero, so they'd get no gain. Instead, they decrypt on the ground, compress the stream and send it up to the plane, which uncompresses the stream, re-encrypts whatever it needs to and sends it out the clients. They obviously can't use the original cert for that re-encryption, so they use their o

Why would you need this for throttling?

[phorm]

Why would this even be needed for throttling? If you don't want a customer downloading at more than 256kbps, then throttle him or her to 256kbps (or whatever).
If you don't want a given connection at more than 256kbps, then throttle each connection at 256kbps

Hell, if you *just* want to throttle youtube, then have your DNS hosts respond with an address you control for all youtube requests and throttle that one (then NAT through the actual traffic without breaking encryption).

There seems to be very little benefit in decrypting SSL for throttling purposes, and a lot more benefit in viewing users' private correspondence (emails, G+, whatever else uses that certificate chain).

Re:

[jonnythan]

I'm guessing the real reason is so they can do some sort of compression between the ground and aircraft. Lossy compression of Facebook and Google images could save a good bit of bandwidth, and they can't do that without intercepting the unencrypted data using this method.

Re:

[bobbied]

I like your idea, but why don't they just say that? There is also the prospect of inserting their own ads, which seems likely too.

As it stands that CTO guy sounds like a buffoon who is trying to hide something.

Re:

[SuricouRaven]

Compression and/or caching.

Re:

[rwa2]

This. Yes, the "right" way is just to block YouTube.com entirely.

The way they've implemented it allows you to still read YouTube for the comments (snicker), or maybe edit videos or search and bookmark links to view later. I suppose now they're sorry that they tried to do you a favor.

Re:

[slazzy]

I guess they want to allow faster speed so that webpages load quicker and such. Another way to approach that would be to throttle at 256kbps or so, but allow bursting for a few seconds to a higher speed.

Re:

[AmiMoJo]

We need to keep reminding people that a VPN is pretty much mandatory for public internet access like wifi.

Re:

[cshay]

I suspect the special issue here is they don't want ANY of some types of streaming, even if it low bandwidth. So they want to be able to inspect what is being sent across. You can stream audio at relatively low bandwidth, and so if they simply throttled the bandwidth that may allow people to make a phone call, which is a huge no no on most carriers.

Re:

[cshay]

They make it very clear what the restrictions are before you pay.

Editorial (HAH!) Heads-Up

[idontgno]

2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).

It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.

Re:

[mjwx]

2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).

It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.

This is why no-one reads the article.

Cheap or bad

[rjmonna]

It feels like they're just using a cheap solution to control their bandwith. (Maybe weight of equipment plays a significant role in these applications, too.)

Or they may be bad. I don't know. Either way it's a no go; think of something better.

Re:

[OverlordQ]

I dont see why equipment should matter, they could just do the MITM wherever they downlink to rather than in-aircraft.

Re:

[bobbied]

It feels like they're just using a cheap solution to control their bandwith. (Maybe weight of equipment plays a significant role in these applications, too.) Or they may be bad. I don't know. Either way it's a no go; think of something better.

My bet is that they think #1 is true, but given my experience with them it really is that they are that bad at network management... Well that and they thought nobody would notice them doing this when they tried to get away with something.

Re:

[AK Marc]

Reading some of the comments, I think that they are doing it to "control bandwidth" in that they have proxy or compression happening on the plane. And the traffic must be unencrypted for that to work. And the CTO is an idiot for not knowing what it's doing and why, making his company look bad.

How about simply throttling data rate as normal?

[thisisauniqueid]

There's no reason they need to decrypt connections to throttle them. Throttling after a threshold data burst rate over a sustained period of time would be sufficient.

Re:

[AmiMoJo]

The problem with that method is that it will cause the video to pause and stutter. If they can throttle it from the very beginning YouTube will automatically select the lowest possible quality stream and then play it back without any issues.

Also, bursts tend to screw up latency sensitive applications like VOIP and video chat.

Now wouldn't this be a violation...

[bobbied]

Isn't this a classic man in the middle attack, where somebody is issuing bogus site certs using authority they really don't legally have? Who is their certificate authority?

Wouldn't this be a violation of their CA agreement? I mean, signing certs for websites that YOU don't own or control is surely a way to get either busted by the authority that issued your signing keys, or if you are your own authority, get yourself removed from everybody's "trusted authority" lists.

At the very LEAST their certs should be revoked along with their authority to create more... And It should happen NOW.

Re:

[Ancil]

Did you even glance at the linked screenshot?

The certificate is signed by some random, internal IP address. No browser would think it's a valid in the first place.

Re:

[bobbied]

Actually, no, the web filters her at work prevent me from looking at that page. We actually DO https proxies here for a valid reason.

So, then GoGo needs to be summarily slapped and told to stop doing this kind of thing and the CTO needs to issue a statement that actually explains what they thought they could accomplish by USING said scheme.

In the mean time, somebody should generate a US-CERT warning for this...

Cert Pinning

[steelfood]

This is why we need cert pinning. I use CertPatrol on Firefox currently. Even if I can't do anything about MITM proxies, I know about it at least and adjust my surfing behavior accordingly.

Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference." I have to take it on faith that the new cert is replacing an old, expiring cert (or a few months back, a SHA2 cert replacing a SHA1 cert). That, and Twitter and quite a few other sites use 50 different certs, distributed across five or six domain names. The constant pop-up gets real annoying, especially when their servers are slowly phasing to a new cert from an old one.

Re:

[WaffleMonster]

Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference."

Or hey my cert got hacked and I need to install a new one...please believe me. I think what we need to do is push this out to the CAs probably using something similar to in-band OCSP to at least allow for unexpected changes while still locking down the hierarchy.

Re:

[petermgreen]

The approach taken by the http key pinning draft is to require sites using it to have at least one spare key. The spare key can then be used to order a new cert in the event that the main key is compromised.

Of course if you were stupid/careless enough to get your spare key lost or stolen too then you have a problem :(.

Forgery?

[laughingskeptic]

Under civil law, this is certainly a trademark violation. Is this a forgery under criminal law?

Re: Forgery?

[Anonymous Coward]

How?
Is gogo claiming they are google? Nope.
Are gogo using any google trademarks? Nope.
All they are doing is signing a ssl certificate for a trademarked domain they don't own.

FTFY

This sabotages user education

[roca]

One big problem here is that when "legitimate" services present invalid certificates, it teaches users to accept browser-provided "broken SSL" UI as a normal thing that they should just ignore. This is very harmful to Internet security in general.

Just block it instead of messing with it

[jonwil]

If Gogo doesn't have the bandwidth to handle streaming video, they should just block the sites outright. Better to do that than to mess with it in this way.

DMCA?

[Loconut1389]

I have to wonder if their essential decryption and interception of content couldn't be construed as a DMCA violation and wiretapping.

interesting

[superwiz]

I was wondering why ALA stopped offering them altogether after the New Year's. I guess they knew something was coming ahead of time and didn't want their name to be pushed into the mudslinging to come.

Liars.

[Opportunist]

By slipping phony certificates into a user's appliance you do compromise his security. Saying that you take it seriously is a blatant lie.

So why the fuck should I believe anything else you said?

How is this not identity theft?

[sinrakin]

I see no problem in limiting bandwidth when necessary. The real problem is the mechanism, which is essentially fraud. It would be very surprising if Google couldn't legally stop another company from certifying themselves to be Google if they really are not. After all, corporations are people now, right?

Gogo suffers from bufferbloat

[davecb]

As noted on the IETF bufferbloat list, they can support streaming, they just screwed it up (;-))

Re:

[bobbied]

I know somebody who works for them up in the windy city, I'll have to ask why they thought this was necessary. Based on my past experience with this person, my guess is pretty much your guess, that they where/are up to no good and got caught. If they really didn't mean anything bad, it just says what I've always suspected, they don't really know what they are doing (which I'm totally sure describes the person who I know that works for GoGo).

Re:

[bobbied]

Um... IF that's what is happening to you, you are doing it wrong.

In corporate networks this is VERY common for controlling and monitoring internet access by employees. You have a corporate CA which is invalid outside the company but trusted by clients INSIDE the company. Then you put proxies at the border entry points. Volia, you can monitor and filter what your employees are doing at the proxy. This is how a lot of content filters actually work and with everything getting tunneled over https in a false

Re:

[AK Marc]

It's also common in schools where content must be filtered. Additionally, once you decrypt at an intermediate security device, you can proxy on that as well, and compress, and do other things that someone operating over an expensive link might want. It's nearly impossible to compress and proxy encrypted data.

Yes, but there shouldn't be any of it going on

[dbIII]

The above poster has pointed at implementation but not implications.
The whole idea sucks in a massive way for everyone. Your company now has people with full access to the internet banking details of any employee that logged in from the workplace. Now you've got an extra level of potential fallout from disgruntled employees or an outright criminal that has wormed their way in. Being a man in the middle with SSL is a liability for anyone law abiding in the middle - so counter those fools that want to put

Re:

[Dop]

Yeah, don't understand how this is news. It's not a security flaw, it's how your browser is supposed to warn you. Sure bandwidth on the plane sucks... YOU'RE ON A PLANE.

https://www.youtube.com/watch?v=uEY58fiSK8E

Re:

[plover]

While I haven't personally used GoGo, I presume that you have to click "I Agree" after being shown a bunch of legalese that probably includes something like this:

"By clicking 'I Agree', I consent to having all of my traffic monitored while using this service. This includes traffic I might otherwise think would be private. Furthermore, by clicking 'I Agree', I grant such access and I renounce any claims of improper use of the data."

If you click "I agree", you pretty much give up any chance of fighting said n