Hacks and Incidents

Gogo In-flight Internet issues Fake SSL Certificates to its own Customers

Gogo In-flight Internet issues Fake SSL Certificates to its own Customers: Gogo — one of the largest providers of in-flight Internet service — has been caught issuing fake SSL certificates, allowing the inflight broadband provider to launch man-in-the-middle (MITM) attacks on its own users, view passwords and other sensitive information.

The news came to light when security engineer Adrienne Porter Felt, who works on Google Chrome’s security team, was served the phony SSL certificate while trying to connect to Google’s video service YouTube. She noticed that the SSL certificate was signed by an untrusted issuer and wasn’t issued by Google, but rather by Gogo itself.

Felt publicly posted details about the spoofed certificate on Twitter and also provided a screenshot of the HTTPS certificate Gogo issued her when she visited YouTube. Felt tweeted, “Hey, @Gogo, why are you issuing *.google.com certificates on your planes?”

Alike other unauthorized certificates, the fake Gogo certificate would generate warnings by virtually all modern browsers. But, if users click on the OK button without giving a damn look, what most of the Internet users do, the bogus credential would allow Gogo to decrypt any traffic passing between end users and YouTube.