In-flight connectivity provider Gogo has never been shy about admitting it controls what content travelers using its service will have access to. Bandwidth is a much more scarce resource in the sky than on the ground and more consumers than ever are connecting during a flight. That’s good news for the company which provides connectivity for the most aircraft on the planet but it also means the struggle to keep everyone happy is very real. And, over the years, the cat-and-mouse game of consumers trying to access blocked services and the response from the company has necessitated changes in the way those blocks are implemented.
— Adrienne Porter Felt (@__apf__) January 2, 2015
Most recently the company has turned to SSL certificate spoofing to effect some of the blocks. The method involves Gogo issuing “fake” SSL credentials form one of its servers whereby it pretends to be the desired server, but rather than returning the requested content it returns an error page informing the user that the content is not available on board. This method is also known as a “Man in the Middle” (MITM) attack and can be used by hackers to decode and inspect the encrypted traffic before passing it along to the intended target server. Or, as in Gogo’s case, blocking the traffic. And, while the company insists its intentions are pure, the means by which it is acting has both privacy and computer security folks up in arms.
In a statement Gogo’s CTO Anand Chari explains the approach and does his best to assuage the critics:
…One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. …
We can assure customers that no user information is being collected when any of these techniques are being used.
And that’s all well and good, assuming you trust the company (I do on this front). But it also creates a challenge. The reason things like SSL exist is ensure that data is not snooped on by interlopers. By “breaking” the SSL chain the company creates a situation which can confuse customers. Sure, they might not be collecting the data but others acting in a similar manner may be. And conditioning consumers to accept SSL spoofing as a normal activity undermines the overall concept of data security. It is hard to find too many experts who will advocate breaking that trust, save for the folks who make the systems which are used to do so.
It is certainly Gogo’s prerogative to block the traffic. And, while the MITM method is likely more effective as a blocking method than URL whitelists and blacklists, it also works against the concepts of data security which are so important to the world of online commerce and privacy. If a consumer cannot trust that the data they’re seeing is what the original provider intended to deliver to them that’s a bad thing.
Oh, and I’m reasonably confident that it is not only Google/YouTube which Gogo is blocking with this approach nor that it is especially new. It just finally was apparent to someone who bothered to raise the issue.
- Gogo under pressure to use alternative methods to block YouTube
- Gogo issues fake HTTPS certificate to users visiting YouTube
- In-flight internet and content manipulation: What are you really seeing?
- Row44 responds on content alteration inquiry