How Gogo found trouble with traffic shaping


In-flight connectivity provider Gogo has never been shy about admitting it controls what content travelers using its service will have access to. Bandwidth is a much more scarce resource in the sky than on the ground and more consumers than ever are connecting during a flight. That’s good news for the company which provides connectivity for the most aircraft on the planet but it also means the struggle to keep everyone happy is very real. And, over the years, the cat-and-mouse game of consumers trying to access blocked services and the response from the company has necessitated changes in the way those blocks are implemented.

Most recently the company has turned to SSL certificate spoofing to effect some of the blocks. The method involves Gogo issuing “fake” SSL credentials form one of its servers whereby it pretends to be the desired server, but rather than returning the requested content it returns an error page informing the user that the content is not available on board. This method is also known as a “Man in the Middle” (MITM) attack and can be used by hackers to decode and inspect the encrypted traffic before passing it along to the intended target server. Or, as in Gogo’s case, blocking the traffic. And, while the company insists its intentions are pure, the means by which it is acting has both privacy and computer security folks up in arms.

In a statement Gogo’s CTO Anand Chari explains the approach and does his best to assuage the critics:

…One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. …

We can assure customers that no user information is being collected when any of these techniques are being used.

And that’s all well and good, assuming you trust the company (I do on this front). But it also creates a challenge. The reason things like SSL exist is ensure that data is not snooped on by interlopers. By “breaking” the SSL chain the company creates a situation which can confuse customers. Sure, they might not be collecting the data but others acting in a similar manner may be. And conditioning consumers to accept SSL spoofing as a normal activity undermines the overall concept of data security. It is hard to find too many experts who will advocate breaking that trust, save for the folks who make the systems which are used to do so.

It is certainly Gogo’s prerogative to block the traffic. And, while the MITM method is likely more effective as a blocking method than URL whitelists and blacklists, it also works against the concepts of data security which are so important to the world of online commerce and privacy. If a consumer cannot trust that the data they’re seeing is what the original provider intended to deliver to them that’s a bad thing.

Oh, and I’m reasonably confident that it is not only Google/YouTube which Gogo is blocking with this approach nor that it is especially new. It just finally was apparent to someone who bothered to raise the issue.

Read more:

Related Posts:

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.


Seth Miller

I'm Seth, also known as the Wandering Aramean. I was bit by the travel bug 30 years ago and there's no sign of a cure. I fly ~200,000 miles annually; these are my stories. You can connect with me on Twitter, Facebook, and LinkedIn.

8 Comments

  1. Nail on the head. This reminds me of the thinking that caused the #1 computer disease vector: browser plug-ins.

    It starts with a great idea: “Hey, let’s expand the browser’s functionality so that we can do cool stuff with our web site!” But ultimately it trained users to say “yes” to any request, lest the site not work for them. We’ve been fighting the battle to eliminate plug-ins ever since, principally by expanding what browsers themselves can do (HTML5 video, etc.).

    When the big browsers started making non-authenticated pages more obvious (preventing access without a click-through, flashing a red address bar, etc.), it was a fair bet that you would only see red if something was actually wrong, and you’d pay attention. But if GoGo and others start training users to say “yes” to anything again, we’re doomed to repeat the mistakes of Java and Flash.

  2. How awesome that she works for Google in Chrome usable security…she’d know exactly how to look for security holes like this that impact the user experience.

  3. Proxies are everywhere. When you go to hotel, office, or a coffee shop, you Internet traffic is being proxied. The particular case with the GOGO incident is that the particular type of proxy (called SSL proxy) GOGO uses to handle HTTPS traffic issues a self-signed certificate “on behalf” of Google, and it was caught by a Google researcher/engineer.

    I believe it is perfectly legitimate for GOGO to proxy traffic and shape the usage of each users. I wouldn’t be surprised if it is clearly stated in their T&C. For any type proxied traffic, the proxy knows exactly what the contents are. And in this case, GOGO’s SSL proxy has visibility to the users’ encrypted Web traffic if it chooses to. However, I’m pretty sure GOGO wouldn’t try to record or make any use of such information. In addition, it is really a burden for the proxy to do so and will greatly affect the network performance.

    From the other side, browsers like Chrome have advance security feature so that they know which SSL certificates are authentic. In GOGO’s case, they are not trying to trick the users by impersonating Google. Instead, the certificate is self-signed by GOGO as shown in the screenshot.

    If GOGO can come up with certain policies on what type of SSL traffic are proxies, e.g., no financial, it shouldn’t bother most of the users who browse on the plane.

    1. Proxies are in a lot of places. Proxies are NOT everywhere. I’m willing to be that proxy-levels of traffic inspection doesn’t happen on most connections, even at a hotel or coffee shop.

      Gogo’s problem is that it is intercepting SSL traffic. Sure, the company says the data isn’t being collected or checked and I have no reason to believe otherwise. But it creates a problem in the world of privacy and security as it conditions users to expect that it is OK for “secure” data to no longer be secure. That’s bad in many ways.

  4. Thanks for sharing this. I would NOT trust this type of access no matter what…
    You might as well send them all your passwords and use them for auto login at that point…

  5. Yeah I agree snooping SSL traffic is murky territory. Why can’t they have more intelligent shapers based on traffic patterns and usage etc?

  6. GoGo may be saying that they don’t collect or look at the encrypted data – but insider threats are currently the largest cyber security issue according to many IT security polls. I wouldn’t trust logging into anything even remotely important from one of their connections, nor would I want any of my employees that use SSL VPN’s to connect to the office and think that their confidential emails, presentations or other data is secure, when it most certainly is not.

    If GoGo are worried about people streaming youtube, netflix or making skype calls, etc – just block them or their categories outright.

    1. I agree Kevin,

      We may trust GoGo’s policies and intentions, but that’s different from trusting the security of GoGo’s infrastructure. We do not know if their systems and network are compromised by internal or external agents, and we do not know if there are accidental log collections or leaks.

      That said, using secure VPNs to your company will be completely fine because the only traffic GoGo’s servers can decrypt will be the ones where they have issued a fake certificate for.

Comments are closed.

BoardingArea