GoGo in-flight WiFi creates man-in-the-middle diddle In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services. Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL …
Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.
Has anyone successfully decrypted this? I can normally have a stab at these Yoda-style sentences, but this one had me stumped!
Stick a couple of hyphens in:
"Gogo said at the time that an additional capability - seemingly the use of CAPTCHA to prevent remote access - was an apparent lone function that was not related to traffic monitoring."
But, even then, it's not particularly clear what real relevance that has unless you know the history already.
Specific certs for Google are, indeed, unnecessary. However, almost anything worth its salt when making an SSL connection KNOWS that it's untrusted... even the screenshot says so, which is why you don't get the proper secure icon. You can fake the cert, you can't fake the chain on someone's device without some serious sleight-of-hand that will get you into real trouble.
And almost all proxies in government departments, workplaces, etc. use the same trick to proxy SSL, but they just put the private signing authority into the local devices so you don't know it's "untrusted".
It's not really that nasty - you know you're being listened to - but it's a little pointless just to filter things that any filter could block if you wanted.
And, to be honest, if it's that much a problem, don't block, just rate-limit clients. That solves the problem all round without this kind of fiddling.
There is no legitimate excuse for a company to create fake certs that act like other companies. That is a breach or morale, pure and simple. If you don't want customers to do something on your network, be honest and block it (with a redirect to a page explaining why).
Anything else is a hypocritical cop-out.
But you actually can't block what happening inside an SSL packet without decrypting the SSL.
If I setup an SSL server in my house, that's a SOCKS proxy, then use that on my laptop to stream video from various video streaming sites, how do you block that on a plane, without rate limiting traffic, or decrypting the SSL? Those are your two options.
For some reason, flight induces near coma in me. I'm rapidly out like a light and don't usually awake until feeding time or on final approach.
Still, MTM... OK. My sectets tend to keep themselves. My net-fu is typically stronger than theirs is. I was an NA/SA/BOFL for a long, long time.
Which means that my laser mounted sharks can beat up their laser mounted sharks every time.
Wendy's, the fast food chain, also does this. So a national corporation being sneaky is a suprise? To be fair the Wendy cert can be kept as temporary and then deleted once you get redirected past the login page. Of course only those people who have no clue and don't want one WILL be upset at this news.
I found the CAPTCHA statement in a WIRED article from April 2014 as a quote from a GoGo exec from a phone call with a WIRED reporter about the concessions to law enforcement beyond CALEA. It sounds like an exec not knowing tech trying to explain tech. The fact is GoGo and other airplane WiFi providers are fully compliant with CALEA requirements and then some if law enforcement requests and it doesn't cost to much.
The other fact of relevance is that spoofing a certificate for a known HTTPS video streaming site is not even necessary to block or throttle the high bandwidth traffic. The explanation of using an off the shelf blocking solution is more suspicious than stating the technically inaccurate CAPTCHA is used to prevent remote access. There is still the possibility of a tech challenged exec trying to explain tech. I wonder what the response would have been if the spoofed wildcard cert was identified when attempting to check email or calendar?
GoGo's public statement on the matter does not have any indication that they will stop using the spoofed cert. I wonder what other spoofed certs they are using?
If an outfit like Google would file for a restraining order against outfits impersonating its certificates.
The results might be interesting, given the way certificates are touted as identification by all and sundry including govt.
on the one hand, they might be declared not to be, in which case the whole industry implodes.
on the other, if they are, then (im)personation is generally regarded as a serious criminal matter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
