Gogo issues fake security certificates to block in-flight streaming

If you’re looking for another reason to hate Gogo, the much-criticized ISP of the skies, then it just provided one. Neowin revealed on Monday that the Gogo is messing with the SSL (secure socket layer) certificates issued by websites to encrypt traffic coming to and from your browser.

According to Neowin, [company]Google[/company] security engineer Adrienne Porter Felt discovered the tactic when surfing Google sites. [company]Gogo[/company] was replacing the SSL certificates she would normally get from Google with the ISP’s own certificates. This is the kind of ploy you’d usually see when a malicious hacker is performing a man-in-the-middle attack. But according to Gogo it’s just using the certificates as a way of identifying video traffic so it can block it over its narrowband air-to-ground network. From a statement by Gogo EVP and CTO Anand Chari:

“… we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.  Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”

Considering passengers on most Gogo planes today are sharing the equivalent of a single 3G connection, keeping video off the inflight wireless network is probably a good policy – instead of a bunch of crappy connections you’d get no connections at all. But the way Gogo is enforcing that policy by breaking the security of sites is, as The Verge puts it, “a terrible idea for everyone involved.”