Slashdot Mirror

← Back to Stories (view on slashdot.org)

In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming

Posted by samzenpus on from the was-that-wrong? dept.

Amanda Parker writes In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer's privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter. From the article: "The image clearly shows that Gogo signed the certificate, not Google, thus misleading customers and opening the door to malware on users' devices. It also serves as a way to throttle data and limit traffic on its networks. 'Gogo takes our customer's privacy very seriously and we are committed to bringing the best Internet experience to the sky,' CTO Anand Chari said in a Monday statement."

9 of 163 comments (clear)

  1. Get What You Pay For by sycodon · · Score: 1, Insightful

    These fuckers need to stop selling shit they can't support. If I pay for band width, I need to have it when I want it, for whatever I want it for.

    And don't give me any of this "Up To" bullshit. They should be required to indicate what the average speed you are buying is.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    1. Re:Get What You Pay For by AuralityKev · · Score: 4, Insightful

      There's no competition there - I think it'd be fine to be perfectly up front to say something like "While we're screaming across the earth defying gravity at 750 miles per hour, we do not have the ability to provide enough bandwidth so that everyone may watch Netflix. Streaming video sites are not accessible. You don't like it, don't buy it."

    2. Re:Get What You Pay For by sycodon · · Score: 5, Insightful

      You lied when you sold it to the second user.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  2. Well it's okay when WE do it... by AuralityKev · · Score: 4, Insightful

    Come on, just set QoS so that nobody can stream anything if you're concerned about bandwidth. Don't do some shady impersonation black hat shit to appear that it's not YOU being a bandwidth miser. It's not like there's a whole lot of competition inside each aircraft. AT&T or Verizon isn't following in a jet 2 nautical miles back with a signal booster just asking your passengers to log in to them for a nominal fee.

    1. Re:Well it's okay when WE do it... by Feral+Nerd · · Score: 5, Insightful

      what's wrong with streaming? Why should a user using 1GB visiting web pages should get more priority than another user streaming a 1GB video?

      There is nothing wrong with streaming, but is there something wrong with bandwidth rationing to ensure that all the customers on your plane have the same same share of a a limited resource? The guy using web pages trying to plan activities at his destination is never going to download 1Gb of data during a flight just browsing websites, while a dozen streaming users might hog all the bandwidth over a limited connection ruining the experience for everybody else on the plane. Gogo claims they are doing this in order to be able to prevent bandwidth hogs from using encrypted connections to bypass their bandwidth rationing mechanism but I don't really get why that is necessary. Surely you can bandwidth limit an encrypted connection without having to know what is being transmitted over that connection, so if somebody is streaming a video on full HD over SHTTP they'd simply get a poor frame-rate without GoGo ever needing to know what they were viewing.

  3. Why would you need this for throttling? by phorm · · Score: 5, Insightful

    Why would this even be needed for throttling? If you don't want a customer downloading at more than 256kbps, then throttle him or her to 256kbps (or whatever).
    If you don't want a given connection at more than 256kbps, then throttle each connection at 256kbps

    Hell, if you *just* want to throttle youtube, then have your DNS hosts respond with an address you control for all youtube requests and throttle that one (then NAT through the actual traffic without breaking encryption).

    There seems to be very little benefit in decrypting SSL for throttling purposes, and a lot more benefit in viewing users' private correspondence (emails, G+, whatever else uses that certificate chain).

  4. Editorial (HAH!) Heads-Up by idontgno · · Score: 5, Insightful

    2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).

    It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  5. Now wouldn't this be a violation... by bobbied · · Score: 4, Insightful

    Isn't this a classic man in the middle attack, where somebody is issuing bogus site certs using authority they really don't legally have? Who is their certificate authority?

    Wouldn't this be a violation of their CA agreement? I mean, signing certs for websites that YOU don't own or control is surely a way to get either busted by the authority that issued your signing keys, or if you are your own authority, get yourself removed from everybody's "trusted authority" lists.

    At the very LEAST their certs should be revoked along with their authority to create more... And It should happen NOW.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. This sabotages user education by roca · · Score: 4, Insightful

    One big problem here is that when "legitimate" services present invalid certificates, it teaches users to accept browser-provided "broken SSL" UI as a normal thing that they should just ignore. This is very harmful to Internet security in general.