http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/
Gogo issues fake HTTPS certificate to users visiting YouTube

<http://cdn.arstechnica.net/wp-content/uploads/2015/01/fake-youtube-certificate.jpg>

Enlarge
<http://cdn.arstechnica.net/wp-content/uploads/2015/01/fake-youtube-certificate.jpg>

Adrienne Porter Felt <https://twitter.com/__apf__/status/551083956326920192>

Gogo has been caught issuing a fake digital certificate for YouTube, a
practice that in theory could allow the inflight broadband provider to view
passwords and other sensitive information exchanged between end users and
the Google-owned video service.

Normally, YouTube passwords, authentication cookies, and similar site
credentials are securely encrypted using the widely used HTTPS protocols. A
public key accompanying YouTube's official HTTPS certificate ensures that
only Google can decrypt the traffic. The fake certificate Gogo presents to
users trying to access the video site bypasses these protections, making it
possible for Gogo to decipher data. It has long been Gogo's policy to block
access to streaming sites and other bandwidth-intensive services. A company
official said the fake YouTube certificate is used solely to enforce the
policy and not to collect data intended for YouTube. Security and privacy
advocates criticized the technique anyway, characterizing it as
heavy-handed.

The certificate came to light late last week when Adrienne Porter Felt, an
engineer in Google's Chrome browser security team, posted a screenshot of
the HTTPS certificate Gogo issued her
<https://twitter.com/__apf__/status/551083956326920192> when she visited
YouTube. Rather than being signed by a recognized certificate authority,
the credential was signed by Gogo itself. In fairness to Gogo, the fake
certificate would generate warnings by virtually all modern browsers. Still
once users click an OK box, the bogus credential would allow Gogo to
decrypt any traffic passing between end users and YouTube.

"hey @Gogo, why are you issuing *.google.com certificates on your planes?"
Felt wrote in her tweet.

In response, Gogo Chief Technology Officer Anand Chari issued a statement
<http://concourse.gogoair.com/technology/statement-gogo-regarding-streaming-video-policy?WT.mc_id=79f9bc0610e2c6762b851a78db86d3d9>
reminding users of the company's no-streaming policy. He went on to say
Gogo uses several techniques to block them. Since Google began
automatically HTTPS-encrypting YouTube, such blocks presumably must find a
way around that protection. Otherwise, users trying to visit
HTTPS-protected pages will receive a security warning when presented with
the Gogo blocking message. In any event, Chari said, no sensitive data is
being decrypted.

"We can assure customers that no user information is being collected when
any of these techniques are being used," he wrote. "They are simply ways of
making sure all passengers who want to access the Internet in flight have a
good experience."

The statement provided little comfort to many security and privacy
advocates. For one thing, the fake certificate at least theoretically gives
Gogo the ability to monitor and collect traffic sent between YouTube and
any visitor who accepts the bogus credential. No ISP or broadband provider
should exercise this type of control, these critics say. On the other hand,
Gogo has a legitimate interest in blocking YouTube, and unfortunately, the
site's mandatory use of HTTPS limits the ways the inflight service can
enforce it in a manner that's transparent and easy to understand.

Mandatory HTTPS connections have long been the bane of people using
so-called "captive-portal" Internet services offered by hotels and
conferences. Typically, such services redirect first-time users to a terms
of service page before they can browse the Internet. Those redirections
often stall when users first try to visit encrypted webpages, creating a
hugely frustrating problem for end users, broadband providers, and website
operators alike. While this is a hard problem to solve, Gogo's current
approach sets a bad precedent. Promising not to monitor or collect
sensitive data isn't the same thing as being unable to do it. The entire
premise of HTTPS is at stake.



__._,_.___
 ------------------------------
Posted by: "beowulf" <[email protected]>
------------------------------


 Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmaDViZHA4BF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0MjA1MDE5MDk->

   - New Members
   
<https://groups.yahoo.com/neo/groups/grendelreport/members/all;_ylc=X3oDMTJnMWJtdWcwBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2bWJycwRzdGltZQMxNDIwNTAxOTA5>
   1

 [image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlZWNobW5lBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQyMDUwMTkwOQ-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to