Slashdot Mirror
In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming
Amanda Parker writes In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer's privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter. From the article: "The image clearly shows that Gogo signed the certificate, not Google, thus misleading customers and opening the door to malware on users' devices. It also serves as a way to throttle data and limit traffic on its networks. 'Gogo takes our customer's privacy very seriously and we are committed to bringing the best Internet experience to the sky,' CTO Anand Chari said in a Monday statement."
Why do they need to see the decrypted packet payloads? Surely throttling could be done based on a device's behavior (e.g. bandwidth used) without having to know exactly what the user is doing.
Why would they do all that instead of just put access lists at the edges?
Come on, just set QoS so that nobody can stream anything if you're concerned about bandwidth. Don't do some shady impersonation black hat shit to appear that it's not YOU being a bandwidth miser. It's not like there's a whole lot of competition inside each aircraft. AT&T or Verizon isn't following in a jet 2 nautical miles back with a signal booster just asking your passengers to log in to them for a nominal fee.
There's no competition there - I think it'd be fine to be perfectly up front to say something like "While we're screaming across the earth defying gravity at 750 miles per hour, we do not have the ability to provide enough bandwidth so that everyone may watch Netflix. Streaming video sites are not accessible. You don't like it, don't buy it."
Why would this even be needed for throttling? If you don't want a customer downloading at more than 256kbps, then throttle him or her to 256kbps (or whatever).
If you don't want a given connection at more than 256kbps, then throttle each connection at 256kbps
Hell, if you *just* want to throttle youtube, then have your DNS hosts respond with an address you control for all youtube requests and throttle that one (then NAT through the actual traffic without breaking encryption).
There seems to be very little benefit in decrypting SSL for throttling purposes, and a lot more benefit in viewing users' private correspondence (emails, G+, whatever else uses that certificate chain).
I'm OK with ISPs offering speed variation through the day, based on demand. Why limit my speed to 10 Mbps at 4am if you can offer 100 Mbps at no additional cost? Just don't limit the speed according to the service/application/port number/web site I use. An ISP is a dumb pipe and my bytes should get the same priority as anyone else's.
I paid for some GoGo on a flight recently. The signup page made it pretty clear that data speeds were pretty limited and I wasn't allowed to stream video. I don't know why they need to spoof certs for that as opposed to just blocking sites or protocols though. Maybe they do some sort of data compression on the ground before transmitting to the plane or something?
2nd link in TFS ("use of a fake Google SSL certificates as a means of throttling video") is a self-starting video at PCMag. Because, I guess, we at Slashdot can no longer read for ourselves and must be read to (after the advertising plays).
It used to be customary to warn people of objectionable formats and maybe link to non-crap sources. Kthxbye.
Welcome to the Panopticon. Used to be a prison, now it's your home.
You lied when you sold it to the second user.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
There's no reason they need to decrypt connections to throttle them. Throttling after a threshold data burst rate over a sustained period of time would be sufficient.
Isn't this a classic man in the middle attack, where somebody is issuing bogus site certs using authority they really don't legally have? Who is their certificate authority?
Wouldn't this be a violation of their CA agreement? I mean, signing certs for websites that YOU don't own or control is surely a way to get either busted by the authority that issued your signing keys, or if you are your own authority, get yourself removed from everybody's "trusted authority" lists.
At the very LEAST their certs should be revoked along with their authority to create more... And It should happen NOW.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
This is why we need cert pinning. I use CertPatrol on Firefox currently. Even if I can't do anything about MITM proxies, I know about it at least and adjust my surfing behavior accordingly.
Unfortunately, there's currently no way for a site to say, "hey, I just changed my cert from an old one to a new one, don't mind the difference." I have to take it on faith that the new cert is replacing an old, expiring cert (or a few months back, a SHA2 cert replacing a SHA1 cert). That, and Twitter and quite a few other sites use 50 different certs, distributed across five or six domain names. The constant pop-up gets real annoying, especially when their servers are slowly phasing to a new cert from an old one.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
They could say something like this:
Oh wait. That's exactly what they say. They're very up-front about not being able to stream video.
Under civil law, this is certainly a trademark violation. Is this a forgery under criminal law?
One big problem here is that when "legitimate" services present invalid certificates, it teaches users to accept browser-provided "broken SSL" UI as a normal thing that they should just ignore. This is very harmful to Internet security in general.
Should they? If you're playing an online video game, should your bytes have the same priority as someone who is trying to download a 10Gb file? Or someone who's computer is performing an automatic update? Or someone who's streaming music?
If your answer is yes, I have to ask, why?
By slipping phony certificates into a user's appliance you do compromise his security. Saying that you take it seriously is a blatant lie.
So why the fuck should I believe anything else you said?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
People are getting their panties in a twist about the contract rather than the real kicker. There are many more suitable ways to prevent streaming like QoS, blacklists etc. Instead they choose to MITM an encrypted connection.
I don't care what they say. They are completely in the wrong and I'm sure if you read the laws carefully enough what they are doing is likely illegal as they have more than 3 letters in their name.