Gogo Inflight Wi-Fi Undermines Encryption

Wi-Fi on planes is unreliable and expensive. Even worse: Service from Gogo—one of the primary providers of in-flight Internet—has a lot of strange insecurities. Google engineer Adrienne Porter Felt realized during a flight on Friday that, for Google services and possibly others, Gogo was undermining encryption meant to keep pages secure.

As Neowin first reported, the certificate which was supposed to show that Felt had a secure HTTPS connection to Google.com was raising a red X alert because it wasn’t signed by Google. It was signed by Gogo. Undermining the SSL/TLS protocols meant to encrypt data transmitted to and from a site is called a man-in-the-middle attack, and Gogo carries these out on its own users. The measures could give the company access to lots of user financial data because of the phony certificates. So what’s going on here?

Gogo’s chief technology officer, Anand Chari, said in a statment to Slate:

Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it … it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience. We can assure customers that no user information is being collected when any of these techniques are being used.

Basically, Gogo is intercepting secure traffic to check whether it involves video streaming, and then block bandwidth-hogging streams. Users have to trust that the company is only doing this for video streaming and isn’t tampering with or saving any sensitive data that it has access to.

When asked if Gogo complies with Payment Card Industry data security standards, a Gogo representative said “yes.” Gogo doesn’t specifically mention SSL proxying in its Terms of Use, but it does write:

Due to multiple users of our inflight Wi-Fi access point, Gogo does not provide an encrypted communication channel between our in-flight Wi-Fi access point and your device. Gogo does support secure Virtual Private Network (VPN) access and Secure Shell (SSH) access. If you have VPN, Gogo recommends that you use your secure VPN protocols for greater security.

The company goes on to claim that SSL-encrypted sites “can also generally be securely accessed through the Service.” It’s also worth noting that Gogo is known for working extensively with law enforcement agencies to comply with surveillance requests.

Maybe Gogo really is just trying to make sure that there’s enough bandwidth to go around. But this is a good time to practice a little cyber-hygiene. If you’re on a plane and need to use the Wi-Fi, don’t open your personal or work email (which is probably exactly why you want to use Gogo) or complete any financial transactions. And if you can avoid it completely, use flight time as a chance to catch up on airplane-mode-friendly activities.