Slashdot Mirror
In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming
Amanda Parker writes In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer's privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter. From the article: "The image clearly shows that Gogo signed the certificate, not Google, thus misleading customers and opening the door to malware on users' devices. It also serves as a way to throttle data and limit traffic on its networks. 'Gogo takes our customer's privacy very seriously and we are committed to bringing the best Internet experience to the sky,' CTO Anand Chari said in a Monday statement."
These fuckers need to stop selling shit they can't support. If I pay for band width, I need to have it when I want it, for whatever I want it for.
And don't give me any of this "Up To" bullshit. They should be required to indicate what the average speed you are buying is.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.
Why would they do all that instead of just put access lists at the edges?
Come on, just set QoS so that nobody can stream anything if you're concerned about bandwidth. Don't do some shady impersonation black hat shit to appear that it's not YOU being a bandwidth miser. It's not like there's a whole lot of competition inside each aircraft. AT&T or Verizon isn't following in a jet 2 nautical miles back with a signal booster just asking your passengers to log in to them for a nominal fee.
Why would this even be needed for throttling? If you don't want a customer downloading at more than 256kbps, then throttle him or her to 256kbps (or whatever).
If you don't want a given connection at more than 256kbps, then throttle each connection at 256kbps
Hell, if you *just* want to throttle youtube, then have your DNS hosts respond with an address you control for all youtube requests and throttle that one (then NAT through the actual traffic without breaking encryption).
There seems to be very little benefit in decrypting SSL for throttling purposes, and a lot more benefit in viewing users' private correspondence (emails, G+, whatever else uses that certificate chain).
If you have nothing to hide, you have nothing to fear. Why is there so much hot air about companies invaiding your privacy? Privacy is dead and has been for 10-15 years. Suck it up.
Actually, I don't belive a word of that. But it's what I hear from non-techies whenever they tell me about a new cloud service or "cloud connected" "smart" devices and I raise my objections. I always respond by saying that since I know what they are doing and how easy it is to protect myself, how could I not? They shrug in apathy.
2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).
It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.
Welcome to the Panopticon. Used to be a prison, now it's your home.
More specifically it smells of bullshit.
I have starting seeing this from web sense filters as well. Its caused a bunch of issues for one of our clients since our gear running Linux could not get out to our servers since the certs where bogus. Seems like a big liability issue.
It feels like they're just using a cheap solution to control their bandwith. (Maybe weight of equipment plays a significant role in these applications, too.)
Or they may be bad. I don't know. Either way it's a no go; think of something better.
Surely if the image "clearly shows" then they are not "misleading".
The system is working as designed. If users do not understand that MITM attacks can occur if you accept untrusted certificates (and with trusted certificates, unless you are putting 100% trust in the CA) then the issue here is one of education.
I'd be much happier with some small outfit watching a few packets of my data while I'm using a specific service than Google collecting, well, pretty much fucking everything about behaviour on the Internet except the content of SSL-encrypted packets.
There's no reason they need to decrypt connections to throttle them. Throttling after a threshold data burst rate over a sustained period of time would be sufficient.
fuck beta comments are supposed to reside, but the dice editors took care of that already with the -1 ban hammer.
(won't be surprised if this comment is permanently marked at -1, flamebait)
At what point does impersonating a certificate (primarily used for identification purposes) count as identity theft? Surely some existing laws can be applied to prevent this sort of nonsense?
Isn't this a classic man in the middle attack, where somebody is issuing bogus site certs using authority they really don't legally have? Who is their certificate authority?
Wouldn't this be a violation of their CA agreement? I mean, signing certs for websites that YOU don't own or control is surely a way to get either busted by the authority that issued your signing keys, or if you are your own authority, get yourself removed from everybody's "trusted authority" lists.
At the very LEAST their certs should be revoked along with their authority to create more... And It should happen NOW.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
i thought everybody knew this by now
This is why we need cert pinning. I use CertPatrol on Firefox currently. Even if I can't do anything about MITM proxies, I know about it at least and adjust my surfing behavior accordingly.
Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference." I have to take it on faith that the new cert is replacing an old, expiring cert (or a few months back, a SHA2 cert replacing a SHA1 cert). That, and Twitter and quite a few other sites use 50 different certs, distributed across five or six domain names. The constant pop-up gets real annoying, especially when their servers are slowly phasing to a new cert from an old one.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
I don't understand why presenting yourself as another company isn't fraud? This not only dishonest, but seems to be illegal as well.
Let them know what you think. http://concourse.gogoair.com/t...
OK, I guess I stay off-line next plane trip. *Completely* unacceptable....and hopefully leading to prosecution.
Under civil law, this is certainly a trademark violation. Is this a forgery under criminal law?
One big problem here is that when "legitimate" services present invalid certificates, it teaches users to accept browser-provided "broken SSL" UI as a normal thing that they should just ignore. This is very harmful to Internet security in general.
If Gogo doesn't have the bandwidth to handle streaming video, they should just block the sites outright. Better to do that than to mess with it in this way.
I have to wonder if their essential decryption and interception of content couldn't be construed as a DMCA violation and wiretapping.
I was wondering why ALA stopped offering them altogether after the New Year's. I guess they knew something was coming ahead of time and didn't want their name to be pushed into the mudslinging to come.
Any guest worker system is indistinguishable from indentured servitude.
I was thinking the exact same thing. More to the point, spoofing a google cert would not prevent someone from using an encrypted proxy to communicate with a home server or somewhere else and still stream video. The only reason anyone would do this (that I can think of) is if someone (NSA?) would like to make sure they can track and read all (most) communication occurring using the flight connection. Doesn't this also violate the DMCA in some way due to circumvention of encryption mechanisms?
Unregulated monopoly? Aren't they illegal, or was that only in the '30s?
davecb@spamcop.net
If you've been a network engineer in the past few years, you'd know exactly why you'd need to break SSL. Traffic prioritization used to just require looking at the TCP/UDP port- SMTP and FTP could be low priority, while HTTP was medium priority, and RTP was high priority. Then users started using non-standard ports, so you needed to look deeper- you start looking at the content-type header in HTTP. By doing this, you could still make the octet-stream and application-pdf low priority (file transfer) while the text/html would be higher priority and audio content-types the highest.
This was all well and good, but then the web moved to SSL. Not just for email or banking, but even sites like Youtube and Facebook. Now, QoS devices (which are critical in bandwidth limited situations like zooming across the sky near Mach 1 at 30k feet) need to peer deeper into the packets. In an enterprise environment, this is done the same way Gogo is doing it, except we control the list of trusted CA's on the computers, so we can tell our users to trust the (fake) certs that we are signing.
It's not a great solution- it's essentially a man-in-the-middle exploit. The better alternative would be for sites like Youtube to honestly set the DSCP header, but that's not going to happen...
Good grief, I have no problem with rationing bandwidth. Especially as you state, because the plane is going to have limited bandwidth and lots of connections competing. There are very effective ways of rationing bandwidth without hijacking user sessions without their knowledge, which is what this service is doing. Their method is not the cheapest, nor the easiest way to do this. It's like Motorola, who did the same thing and got busted. I will never, ever, buy a motorola device because of it. Just like I will never, ever use a Gogo product/service because of this.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
By slipping phony certificates into a user's appliance you do compromise his security. Saying that you take it seriously is a blatant lie.
So why the fuck should I believe anything else you said?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They cannot call their service "Internet". This goes for any company that messes with packets, discriminates, blocks ports, or in any way defeats standard protocols.
Prove anything by multiplying Huge Number times Tiny Number
I see no problem in limiting bandwidth when necessary. The real problem is the mechanism, which is essentially fraud. It would be very surprising if Google couldn't legally stop another company from certifying themselves to be Google if they really are not. After all, corporations are people now, right?
If that's what you are selling - yes, whoever gets in first clogs the pipe. As for why, if you promised raw bandwith and not details it's about keeping a promise.
However if you tell the customers that certain traffic gets bumped up in priority and they agree to remain your customers then go for whatever QoS scheme you want. It's perfectly acceptable in workplaces for instance if the people running the workplace agree.
The above poster has pointed at implementation but not implications.
The whole idea sucks in a massive way for everyone. Your company now has people with full access to the internet banking details of any employee that logged in from the workplace. Now you've got an extra level of potential fallout from disgruntled employees or an outright criminal that has wormed their way in. Being a man in the middle with SSL is a liability for anyone law abiding in the middle - so counter those fools that want to put in "SSL accelerator" devices with the possibility of having to go toe to toe with lawyers from a major bank.
Then there's the less than zero possibility that the vendor of the device can see that traffic that you are so conveniently letting the device see in the clear. Can you trust their employees? Can you trust anyone they are giving access to? Is some government contractor two steps removed like Snowden going to have access? It appears that sort of thing has already happened, I think it was some Cisco devices with backdoors but it may have been another vendor.
This sort of fucking stupid breakage of what is supposed to be trusted communication just for the sake a of a bit of convenience goes against the entire point of the communication and is an accident waiting to happen. The sort of controlling pricks that make their staff wear voice recorders at work may like it for voyeristic reasons, but it's stupid on a variety of levels. If a workplace is large enough for an SSL proxy to have any effect you can notice on performance then it large enough that multiple people will have access to the traffic and the risk of abuse increases dramatically.
So yes, becoming very common, but very stupid and the wet dream of identity thieves, NSA etc
20-25 years ago, you would just sign your new key with your old key. And that wouldn't be a problem at all, because of course, a PGP key can have many signatures.
All we need is for tech to progress from the early 1990s, instead of regress.
Your tickets are subsidized, did you know that? If you had to pay what your seat actually cost, you wouldn't be able to afford to fly. The entire industry would COLLAPSE, leaving a few burned-out shells of what were once airlines, trying to eek out an existence alongside private carriers who would cater to the very rich. That said...
What, blatantly, would you consider a NON shady method? Go back to internet 101, learn how it works, realize that the only other way to do it would be to use routers that had a maximum throughput and bottleneck you between your device and the plane. Go look around, try and find a router that lets you SLOW THINGS DOWN. Let us all know when you find it. Then find one that lets you slow things down DYNAMICALLY in realtime. Don't expect us to wait up. You're asking the airline to buy something that doesn't exist, and the economy of scale wouldn't make cheap enough for them to buy to provide you with additional, unnecessary services.
You all seem (those of you bitching about this,) that YOU'RE ON A GODDAMNED AIRPLANE! It's job is to get you safely and expeditiously from A to B, not play patty cake with you during the duration. Do you also think the stewardesses should blow you if you feel lonely during the flight? If the airlines really wanted to, they could, (and should) make the planes into Faraday cages, cut off ALL commo with the outside world, give you NO internet, tell you you can't use your stupid little fucking electronic devices in flight, and if you take your seatbelt off, we're turning this MF around, and you'll be carted off to JAIL when we land!
Then after 6 months to a year of that, put things back the way they are now, and say, "bitch some more. See what happens."
And you expected somebody with an Indian name to be honest? LOL.
As noted on the IETF bufferbloat list, they can support streaming, they just screwed it up (;-))
davecb@spamcop.net
of the trademark, as well as identity theft... (of google.com).
The amount of $$$ Google would get might be paltry to them, but it would protect their logos, their name, AND their reputation.
The problem with that method is that it will cause the video to pause and stutter. If they can throttle it from the very beginning YouTube will automatically select the lowest possible quality stream and then play it back without any issues.
Also, bursts tend to screw up latency sensitive applications like VOIP and video chat.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Google should enable Strict Transport Security to protect their users from this type of thing. http://en.wikipedia.org/wiki/H... It's about time they thought about disabling SSL 3 as well and cutting out the IE 6 users of the world even from basic search.