Inflight Wi-Fi supplier Gogo is checking clients’ traffic on secure websites by changing those destinations’ HTTPS authentications with self-marked ones. The company doesn’t feel like intruding and contends that this practice is only conducted in relation to some video streaming platforms in an effort to contain or block their use. However, the procedure is widely seen by tech experts as a man-in-the-middle (MitM) assault.
Things went public after Adrienne Porter Felt, a designer and specialist with Google’s Chrome security group, observed a maverick HTTPS certificate when she attempted to get to youtube.com through Gogo’s Wi-Fi while in a flight. Felt took a screen shot of the certificate and posted it on Twitter asking Gogo to reveal why it had exchanged YouTube’s genuine authentication for the self-signed one. Her tweet led to a heap of users critics directed toward Wi-Fi supplier Gogo. The company also reacted releasing a statement on Monday signed by its official VP and leading technology officer, Anand Chari.
According to Chari, the company is currently working on various ways to bring more data transmission to an airplane, but until it succeeds it has to block or limit the traffic on several video streaming websites. The official clarified that one of the solutions introduced to keep a low traffic on these websites is using proxies secure video streaming. She pointed out that these practices or others target only some certified video websites and they do not influence the general secure web activity. Moreover, the methods employed by the company are used to guarantee that everybody surfing the net via Gogo will benefit from a constant browsing experience.
The executive also assured users that none of their personal date is being gathered when such procedures are enforced. Nevertheless, since Gogo’s proxy system is actually between clients and the websites, the company can see verification cookies which can also give it access to clients’ accounts on those websites and other conceivably delicate data.
Some contend that the MitM technique might not really help the company with constraining video streaming because users can still go on the websites. When reaching a self-signed certificate most browsers show an error, but users can manually overpass the block and continue to the website.
However, those browsing on Google Chrome might find it hard to sidestep the error message because Chrome keeps a rundown of trusted certificates connected with prevalent websites, including youtube.com, as a feature of a system called certificate pinning.
This implies that for some clients YouTube streaming won’t be only choked, but totally blocked, and if that is the thing that Gogo went for, there are simpler approaches to attain it without meddling in secure traffic.
Image Source: The New York Times
