8 Responses

  1. Chris
    Chris at |

    Nail on the head. This reminds me of the thinking that caused the #1 computer disease vector: browser plug-ins.

    It starts with a great idea: “Hey, let’s expand the browser’s functionality so that we can do cool stuff with our web site!” But ultimately it trained users to say “yes” to any request, lest the site not work for them. We’ve been fighting the battle to eliminate plug-ins ever since, principally by expanding what browsers themselves can do (HTML5 video, etc.).

    When the big browsers started making non-authenticated pages more obvious (preventing access without a click-through, flashing a red address bar, etc.), it was a fair bet that you would only see red if something was actually wrong, and you’d pay attention. But if GoGo and others start training users to say “yes” to anything again, we’re doomed to repeat the mistakes of Java and Flash.

  2. Sice
    Sice at |

    How awesome that she works for Google in Chrome usable security…she’d know exactly how to look for security holes like this that impact the user experience.

  3. Alan
    Alan at |

    Proxies are everywhere. When you go to hotel, office, or a coffee shop, you Internet traffic is being proxied. The particular case with the GOGO incident is that the particular type of proxy (called SSL proxy) GOGO uses to handle HTTPS traffic issues a self-signed certificate “on behalf” of Google, and it was caught by a Google researcher/engineer.

    I believe it is perfectly legitimate for GOGO to proxy traffic and shape the usage of each users. I wouldn’t be surprised if it is clearly stated in their T&C. For any type proxied traffic, the proxy knows exactly what the contents are. And in this case, GOGO’s SSL proxy has visibility to the users’ encrypted Web traffic if it chooses to. However, I’m pretty sure GOGO wouldn’t try to record or make any use of such information. In addition, it is really a burden for the proxy to do so and will greatly affect the network performance.

    From the other side, browsers like Chrome have advance security feature so that they know which SSL certificates are authentic. In GOGO’s case, they are not trying to trick the users by impersonating Google. Instead, the certificate is self-signed by GOGO as shown in the screenshot.

    If GOGO can come up with certain policies on what type of SSL traffic are proxies, e.g., no financial, it shouldn’t bother most of the users who browse on the plane.

  4. ucipass
    ucipass at |

    Thanks for sharing this. I would NOT trust this type of access no matter what…
    You might as well send them all your passwords and use them for auto login at that point…

  5. Nick
    Nick at |

    Yeah I agree snooping SSL traffic is murky territory. Why can’t they have more intelligent shapers based on traffic patterns and usage etc?

  6. Kevin
    Kevin at |

    GoGo may be saying that they don’t collect or look at the encrypted data – but insider threats are currently the largest cyber security issue according to many IT security polls. I wouldn’t trust logging into anything even remotely important from one of their connections, nor would I want any of my employees that use SSL VPN’s to connect to the office and think that their confidential emails, presentations or other data is secure, when it most certainly is not.

    If GoGo are worried about people streaming youtube, netflix or making skype calls, etc – just block them or their categories outright.

    1. Penguin
      Penguin at |

      I agree Kevin,

      We may trust GoGo’s policies and intentions, but that’s different from trusting the security of GoGo’s infrastructure. We do not know if their systems and network are compromised by internal or external agents, and we do not know if there are accidental log collections or leaks.

      That said, using secure VPNs to your company will be completely fine because the only traffic GoGo’s servers can decrypt will be the ones where they have issued a fake certificate for.