GoGo Inflight and “Man in the Middle” (MITM) for monitoring SSL traffic
It has recently been reported by NeoWin (http://www.neowin.net/news/gogo-inflight-internet-is-intentionally-issuing-fake-ssl-certificates) that in-flight Internet provider GoGo is using a questionable tactic while delivering its Internet access on commercial airlines. The tactic is called a “man in the middle” (MITM) attack, and it works by breaking down the protections provided by SSL, the Secure Socket Layer, which is the magic behind “secure” websites and the little padlock you see in your browser. GoGo claims that their use of the man in the middle is to identify users who are accessing video streaming services and restrict this access. The reason that GoGo has to interfere with the secure traffic flow from its customers is simple, but the effects to its users are anything but.
Most Internet services (like Facebook, Twitter, YouTube, Netflix, etc) that require users to login use SSL encryption to protect the user’s login info and other data that a user accesses during their use of the service. This is great for the end user as it protects their data during these interactions, but the encryption masks the type and content of the traffic from the owner of the network and any Internet Service Providers (ISPs) in between the user and the service. In most situations, this is completely acceptable and the behavior we all expect our Internet providers to respect. However, a problem arises when a provider has specific reasons to block certain types of traffic. Most commonly, attempts to block traffic are either driven by a corporate network policy or by a desire to provide Quality of Service (QoS) in networks where bandwidth is restricted. Because the traffic is encrypted, the network provider cannot tell what traffic they want to allow and what traffic they want to block. One way around this is to force decryption of the traffic so that it can be subject to filtering. Unfortunately, this also means that the end user’s data is no longer encrypted and that trust layer is broken.
Such is the case with GoGo, at least according to their statements made in response to the NeoWin article. They claim to be decrypting traffic so that they can limit user’s access to streaming media. This is makes sense on the surface, as bandwidth in moving aircraft is still relatively limited and providers like GoGo would prefer to have all of their customers experience a reasonably responsive connection to email and other low-bandwidth services, vs just a few users using all the bandwidth to binge watch all of Breaking Bad. However, this decryption also puts GoGo in the position to filter, track and log ALL of the interactions that customers have while using their service. GoGo has said that they aren’t going to collect or use that data for anything else… but do you trust them?
Man in the Middle attacks are not a new phenomenon, and GoGo is not the first organization to implement such a tactic to gain some insight into how end users are using bandwidth. Many corporate networks use advanced content filtering and application-layer inspection, including SSL MITM, to gain visibility into the sites and services that employees use in the workplace. As more and more sites employ encrypted data transmission, the problem for those who want to restrict access becomes more and more challenging. We can, and should, expect to see similar attempts by Internet providers to gain insight into our surfing activities.
The good news is that it is relatively easy to identify a MITM attack. The purpose of SSL (and the little padlock) is to provide verification that the site your browser is connecting to is really the site you believe it is. When a provider inserts a MITM attack, your browser is aware that someone other than the party expected at the other end is decrypting your data. This results in a warning message telling you the certificate is either not valid, or has questionable authenticity. These warnings should not be swiftly dismissed! Instead, this is a warning that the encryption of the session is not guaranteed. Unless the end user is expecting a warning (possible because their employer uses a self-signed SSL certificate), the initial reaction should be to not continue to connect to the site. If the user must connect, do so with extreme caution and the understanding that data being transmitted is likely no longer secure.
What does this mean to the end users like you and me? GoGo is just one provider in a sea of Internet access vendors that are offering to make it easier to get connected everywhere. All end users need to carefully consider the risks of using these “public” Internet providers. When accessing any resources over the Internet, use of a Virtual Private Network (VPN) is strongly recommended. This is especially critical when accessing Public WiFi, pay-as-you-go services, or hotel/airplane/train or bus Internet services. As a basic rule of thumb, unless using your own network (at home or the office), connections to sensitive, confidential or any info you don’t want publicly monitored should be established using VPN at all times. Usage of a VPN will fully encrypt the traffic, stopping the provider of the MITM attack from viewing the end user data.
Although GoGo’s recent revelation of Internet monitoring is disturbing, it is indicative of the risk involved in all publicly accessible Internet access. The MITM is a common tool for hackers too, so it should never be assumed that any networks are “safe”, even if the provider isn’t using MITM. Practice safe Internet use out there!