Gogo, the largest provider of inflight wifi to US airlines, has responded to accusations made this week that it has been issuing fake Google SSL certificates.
On 2 January, a user of Gogo's inflight wifi saw that the Secure Sockets Layer, or SSL, certificates being issued for Google's sites were instead being issued by Gogo. The user, -- Adrienne Porter Felt, an engineer who works on SSL for Google -- tweeted about the issue.
There was no SSL connection encrypting the information exchanged between the user and the world, even though the browser window had an icon suggesting that the communication was (relatively) safe.
The story was first reported by Neowin.
Neowin speculated that Gogo could be intercepting such unencrypted messages being transmitted by a user, while the user's guard was down, for some ulterior purpose.
Today Gogo chief technology officer Anand Chari issued a statement to Tnooz:
“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky.
Right now, Gogo is working on many ways to bring more bandwidth to an aircraft.
Until then, we have stated that we don't support various streaming video sites and utilize several techniques to limit/block video streaming.
One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.
Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic.
These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.
We can assure customers that no user information is being collected when any of these techniques are being used.
They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”
That said, it's worth noting a possibly relevant portion of Gogo's terms and conditions for using its inflight wifi service:
Acknowledgement of Filtering and Restriction of Access to Pornography or Other Offensive or Objectionable Material. You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement, including, but not limited to, those activities that may subject Gogo or its customers to liability or danger, or material that may be obscene, lewd, lascivious, filthy, excessively violent, pornographic, harassing, or otherwise objectionable.
What to do? In the meantime, Felt says a virtual private network (VPN) is one workaround for the issue. Also, if you receive an SSL warning from your browser, don't click through the warning.