Slashdot Mirror
In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming
Amanda Parker writes In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer's privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter. From the article: "The image clearly shows that Gogo signed the certificate, not Google, thus misleading customers and opening the door to malware on users' devices. It also serves as a way to throttle data and limit traffic on its networks. 'Gogo takes our customer's privacy very seriously and we are committed to bringing the best Internet experience to the sky,' CTO Anand Chari said in a Monday statement."
These fuckers need to stop selling shit they can't support. If I pay for band width, I need to have it when I want it, for whatever I want it for.
And don't give me any of this "Up To" bullshit. They should be required to indicate what the average speed you are buying is.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.
Why would they do all that instead of just put access lists at the edges?
Come on, just set QoS so that nobody can stream anything if you're concerned about bandwidth. Don't do some shady impersonation black hat shit to appear that it's not YOU being a bandwidth miser. It's not like there's a whole lot of competition inside each aircraft. AT&T or Verizon isn't following in a jet 2 nautical miles back with a signal booster just asking your passengers to log in to them for a nominal fee.
Why would this even be needed for throttling? If you don't want a customer downloading at more than 256kbps, then throttle him or her to 256kbps (or whatever).
If you don't want a given connection at more than 256kbps, then throttle each connection at 256kbps
Hell, if you *just* want to throttle youtube, then have your DNS hosts respond with an address you control for all youtube requests and throttle that one (then NAT through the actual traffic without breaking encryption).
There seems to be very little benefit in decrypting SSL for throttling purposes, and a lot more benefit in viewing users' private correspondence (emails, G+, whatever else uses that certificate chain).
2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).
It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.
Welcome to the Panopticon. Used to be a prison, now it's your home.
It feels like they're just using a cheap solution to control their bandwith. (Maybe weight of equipment plays a significant role in these applications, too.)
Or they may be bad. I don't know. Either way it's a no go; think of something better.
I know somebody who works for them up in the windy city, I'll have to ask why they thought this was necessary. Based on my past experience with this person, my guess is pretty much your guess, that they where/are up to no good and got caught. If they really didn't mean anything bad, it just says what I've always suspected, they don't really know what they are doing (which I'm totally sure describes the person who I know that works for GoGo).
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
There's no reason they need to decrypt connections to throttle them. Throttling after a threshold data burst rate over a sustained period of time would be sufficient.
Isn't this a classic man in the middle attack, where somebody is issuing bogus site certs using authority they really don't legally have? Who is their certificate authority?
Wouldn't this be a violation of their CA agreement? I mean, signing certs for websites that YOU don't own or control is surely a way to get either busted by the authority that issued your signing keys, or if you are your own authority, get yourself removed from everybody's "trusted authority" lists.
At the very LEAST their certs should be revoked along with their authority to create more... And It should happen NOW.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
This is why we need cert pinning. I use CertPatrol on Firefox currently. Even if I can't do anything about MITM proxies, I know about it at least and adjust my surfing behavior accordingly.
Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference." I have to take it on faith that the new cert is replacing an old, expiring cert (or a few months back, a SHA2 cert replacing a SHA1 cert). That, and Twitter and quite a few other sites use 50 different certs, distributed across five or six domain names. The constant pop-up gets real annoying, especially when their servers are slowly phasing to a new cert from an old one.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Um... IF that's what is happening to you, you are doing it wrong.
In corporate networks this is VERY common for controlling and monitoring internet access by employees. You have a corporate CA which is invalid outside the company but trusted by clients INSIDE the company. Then you put proxies at the border entry points. Volia, you can monitor and filter what your employees are doing at the proxy. This is how a lot of content filters actually work and with everything getting tunneled over https in a false attempt at being "secure" you have to be able to look at https content to actually filter stuff.
The problems you describe are likely caused by improper configuration of the clients and what CA's they will accept. Likely you will have to add the internal CA to clients on the inside of your network to make them work and if the client is OUTSIDE your network, you will need a fully vetted PUBLIC cert to be applied when the traffic is headed outside the network. It could also be that the filter appliances don't have trusted CA's signing their certs (as in they are self signed by the device). In which case you are doing it wrong and need to create your own internal CA and issue the appliances certs from it.... Or not, and just blindly accept the self signed cert from the appliance every time it gets updated.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Under civil law, this is certainly a trademark violation. Is this a forgery under criminal law?
It's also common in schools where content must be filtered. Additionally, once you decrypt at an intermediate security device, you can proxy on that as well, and compress, and do other things that someone operating over an expensive link might want. It's nearly impossible to compress and proxy encrypted data.
Learn to love Alaska
One big problem here is that when "legitimate" services present invalid certificates, it teaches users to accept browser-provided "broken SSL" UI as a normal thing that they should just ignore. This is very harmful to Internet security in general.
If Gogo doesn't have the bandwidth to handle streaming video, they should just block the sites outright. Better to do that than to mess with it in this way.
I have to wonder if their essential decryption and interception of content couldn't be construed as a DMCA violation and wiretapping.
I was wondering why ALA stopped offering them altogether after the New Year's. I guess they knew something was coming ahead of time and didn't want their name to be pushed into the mudslinging to come.
Any guest worker system is indistinguishable from indentured servitude.
Yeah, don't understand how this is news. It's not a security flaw, it's how your browser is supposed to warn you. Sure bandwidth on the plane sucks... YOU'RE ON A PLANE.
https://www.youtube.com/watch?v=uEY58fiSK8E
Unregulated monopoly? Aren't they illegal, or was that only in the '30s?
davecb@spamcop.net
If you've been a network engineer in the past few years, you'd know exactly why you'd need to break SSL. Traffic prioritization used to just require looking at the TCP/UDP port- SMTP and FTP could be low priority, while HTTP was medium priority, and RTP was high priority. Then users started using non-standard ports, so you needed to look deeper- you start looking at the content-type header in HTTP. By doing this, you could still make the octet-stream and application-pdf low priority (file transfer) while the text/html would be higher priority and audio content-types the highest.
This was all well and good, but then the web moved to SSL. Not just for email or banking, but even sites like Youtube and Facebook. Now, QoS devices (which are critical in bandwidth limited situations like zooming across the sky near Mach 1 at 30k feet) need to peer deeper into the packets. In an enterprise environment, this is done the same way Gogo is doing it, except we control the list of trusted CA's on the computers, so we can tell our users to trust the (fake) certs that we are signing.
It's not a great solution- it's essentially a man-in-the-middle exploit. The better alternative would be for sites like Youtube to honestly set the DSCP header, but that's not going to happen...
Good grief, I have no problem with rationing bandwidth. Especially as you state, because the plane is going to have limited bandwidth and lots of connections competing. There are very effective ways of rationing bandwidth without hijacking user sessions without their knowledge, which is what this service is doing. Their method is not the cheapest, nor the easiest way to do this. It's like Motorola, who did the same thing and got busted. I will never, ever, buy a motorola device because of it. Just like I will never, ever use a Gogo product/service because of this.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
By slipping phony certificates into a user's appliance you do compromise his security. Saying that you take it seriously is a blatant lie.
So why the fuck should I believe anything else you said?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They cannot call their service "Internet". This goes for any company that messes with packets, discriminates, blocks ports, or in any way defeats standard protocols.
Prove anything by multiplying Huge Number times Tiny Number
I see no problem in limiting bandwidth when necessary. The real problem is the mechanism, which is essentially fraud. It would be very surprising if Google couldn't legally stop another company from certifying themselves to be Google if they really are not. After all, corporations are people now, right?
If that's what you are selling - yes, whoever gets in first clogs the pipe. As for why, if you promised raw bandwith and not details it's about keeping a promise.
However if you tell the customers that certain traffic gets bumped up in priority and they agree to remain your customers then go for whatever QoS scheme you want. It's perfectly acceptable in workplaces for instance if the people running the workplace agree.
The above poster has pointed at implementation but not implications.
The whole idea sucks in a massive way for everyone. Your company now has people with full access to the internet banking details of any employee that logged in from the workplace. Now you've got an extra level of potential fallout from disgruntled employees or an outright criminal that has wormed their way in. Being a man in the middle with SSL is a liability for anyone law abiding in the middle - so counter those fools that want to put in "SSL accelerator" devices with the possibility of having to go toe to toe with lawyers from a major bank.
Then there's the less than zero possibility that the vendor of the device can see that traffic that you are so conveniently letting the device see in the clear. Can you trust their employees? Can you trust anyone they are giving access to? Is some government contractor two steps removed like Snowden going to have access? It appears that sort of thing has already happened, I think it was some Cisco devices with backdoors but it may have been another vendor.
This sort of fucking stupid breakage of what is supposed to be trusted communication just for the sake a of a bit of convenience goes against the entire point of the communication and is an accident waiting to happen. The sort of controlling pricks that make their staff wear voice recorders at work may like it for voyeristic reasons, but it's stupid on a variety of levels. If a workplace is large enough for an SSL proxy to have any effect you can notice on performance then it large enough that multiple people will have access to the traffic and the risk of abuse increases dramatically.
So yes, becoming very common, but very stupid and the wet dream of identity thieves, NSA etc
As noted on the IETF bufferbloat list, they can support streaming, they just screwed it up (;-))
davecb@spamcop.net
The problem with that method is that it will cause the video to pause and stutter. If they can throttle it from the very beginning YouTube will automatically select the lowest possible quality stream and then play it back without any issues.
Also, bursts tend to screw up latency sensitive applications like VOIP and video chat.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
While I haven't personally used GoGo, I presume that you have to click "I Agree" after being shown a bunch of legalese that probably includes something like this:
"By clicking 'I Agree', I consent to having all of my traffic monitored while using this service. This includes traffic I might otherwise think would be private. Furthermore, by clicking 'I Agree', I grant such access and I renounce any claims of improper use of the data."
If you click "I agree", you pretty much give up any chance of fighting said nonsense.
John
I was curious what he meant by subsidized as well, but http://en.wikipedia.org/wiki/Airline_Deregulation_Act seems to pretty much say government wanted out from anything like that. The only other thing I found was http://en.wikipedia.org/wiki/Essential_Air_Service but was just for small airports not travel in general.
Google should enable Strict Transport Security to protect their users from this type of thing. http://en.wikipedia.org/wiki/H... It's about time they thought about disabling SSL 3 as well and cutting out the IE 6 users of the world even from basic search.