Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
On 1/5/2015 8:47 PM, John Levine wrote: > > http://venturebeat.com/2015/01/05/gogo-in-flight-internet-says-it-issues-fake-ssl-certificates-to-throttle-video-streaming/ > > They claim they're doing it to throttle video streaming, not to be evil. > > Am I missing something, or is this stupid? If they want to throttle > user bandwidth (not unreasonable on a plane), they can just do it. > The longer a connection is open, the less bandwidth it gets. I suspect that throttling user bandwidth is not the goal. Instead they are attempting to strip out embedded video from within http streams. Since the video stream might be sent over the same tcp connection as non-video content they can improve the user's experience by delivering all but the video. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
On 6 January 2015 at 15:40, Jeffrey Altman wrote: > On 1/5/2015 8:47 PM, John Levine wrote: > > > > > http://venturebeat.com/2015/01/05/gogo-in-flight-internet-says-it-issues-fake-ssl-certificates-to-throttle-video-streaming/ > > > > They claim they're doing it to throttle video streaming, not to be evil. > > > > Am I missing something, or is this stupid? If they want to throttle > > user bandwidth (not unreasonable on a plane), they can just do it. > > The longer a connection is open, the less bandwidth it gets. > > I suspect that throttling user bandwidth is not the goal. Instead they > are attempting to strip out embedded video from within http streams. > Since the video stream might be sent over the same tcp connection as > non-video content they can improve the user's experience by delivering > all but the video. > So why do they not take a more traditional approach of: i. blocking obvious video services (YouTube, etc) wholesale; and, ii. limiting sustained bandwidth per user at a level that would frustrate viewing video anyway. It's somewhat easier to do than intercepting SSL/TLS connections. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
You can smartly limit resolution in squid - I don't trust this is what they were doing, but you could provide a better experience like this. On Tue, Jan 6, 2015 at 11:01 AM, Peter Maxwell wrote: > > > On 6 January 2015 at 15:40, Jeffrey Altman > wrote: >> >> On 1/5/2015 8:47 PM, John Levine wrote: >> > >> > >> > http://venturebeat.com/2015/01/05/gogo-in-flight-internet-says-it-issues-fake-ssl-certificates-to-throttle-video-streaming/ >> > >> > They claim they're doing it to throttle video streaming, not to be evil. >> > >> > Am I missing something, or is this stupid? If they want to throttle >> > user bandwidth (not unreasonable on a plane), they can just do it. >> > The longer a connection is open, the less bandwidth it gets. >> >> I suspect that throttling user bandwidth is not the goal. Instead they >> are attempting to strip out embedded video from within http streams. >> Since the video stream might be sent over the same tcp connection as >> non-video content they can improve the user's experience by delivering >> all but the video. > > > So why do they not take a more traditional approach of: > > i. blocking obvious video services (YouTube, etc) wholesale; and, > > ii. limiting sustained bandwidth per user at a level that would frustrate > viewing video anyway. > > > It's somewhat easier to do than intercepting SSL/TLS connections. > > > > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
On Tue, Jan 6, 2015 at 11:34 AM, shawn wilson wrote: > You can smartly limit resolution in squid - I don't trust this is what > they were doing, but you could provide a better experience like this. This may be just barely worth mentioning, but still: Gogo was, less than a year ago, was boasting that they go out of their way to provide law enforcement with information beyond what the law requires. E.g.: http://www.wired.com/2014/04/gogo-collaboration-feds/ Gonna go out on a limb here and strongly suggest not trusting any *.google.com certificate signed by these guys. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
On Tue, 06 Jan 2015 14:37:37 -0800, Nathan Dorfman wrote: Gonna go out on a limb here and strongly suggest not trusting any *.google.com certificate signed by these guys. Has anyone on the list had success running the Tor Browser Bundle over a Gogo in flight connection? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Jan 6, 2015, at 8:34 AM, shawn wilson wrote: > You can smartly limit resolution in squid - I don't trust this is what > they were doing, but you could provide a better experience like this. It is what they are doing. I am an unhappy (for many reasons) regular (for many other reasons) Gogo customer, and noticed pretty quickly when they started doing it. I looked at their certs and it's an awful-user-experience way of blocking videos, and I strongly suspect that the rotten user experience is the intent. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.3.0 (Build 9060) Charset: us-ascii wsBVAwUBVK8RMfD9H+HfsTZWAQidnwf9EsXGOIyf1gUq7b2o92SFOdENxhmc0b3H /7NTBm1beKwq6LA6nwxrl8zunfuxNRVKn9ZCfyCteE+2mpzafFrxHubBPbKcffRX motiqHmNs6nYrVNNbZe7BCbb6ds23gFuwREe8wPVrCplWz9n65hm+pf7FBhDlVwr OMsVcMt6yGffnYOZhv/apbRPEUwj+ltkI0RKybAwxnEFDORcKto/MOckClKcbC60 RSAxt7r/R5GOUpCddAPXAI5o9rz6Rd6RsGEgVccnjmYMg/uj0Eb8Ko31GR702uX0 VklDxdH8HCzfkNpgewx7oLktsW1FxTqPsHxfiZPyiEv1uN9pdit+SA== =UzPn -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Jan 6, 2015, at 5:22 PM, Seth wrote: > On Tue, 06 Jan 2015 14:37:37 -0800, Nathan Dorfman wrote: >> Gonna go out on a limb here and strongly suggest not trusting any >> *.google.com certificate signed by these guys. > > Has anyone on the list had success running the Tor Browser Bundle over a Gogo > in flight connection? Pffft. A simple local VPN works just fine to get around their stuff. I'm very happy with the VPN I'm presently using. The clever person can figure out who it is from this email. Well, I'll be. I am on a Gogo-enabled flight even as we squeak, and I just turned my VPN off to go get you one of their certs. They're letting me get to YouTube and Vimeo just fine now. I guess someone got some sense. It was pretty hamfisted and really just reminded me to turn on my VPN. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.3.0 (Build 9060) Charset: us-ascii wsBVAwUBVK8UdfD9H+HfsTZWAQhWtQf/RHxdt7ulBG3SRl6jORFabc/tCmTMeP6U cAHB2Ex0D7dFZLE2WalYKKMd2s+JGB6zmf/ZycryaCapfXii9SyZB0l/EJBMw0y6 zNfgGQJ1ZNCtx8trpkFV9huNEZ7ynC4nInPpb7aRccHWl4HkvPhNWqHqjlVF8YJi 5SyDQ3dOD4lxM/mwcbXYEme/dsHEs566/GVjzcFNdObI9E0Sf24h35fljxvdn8ox Tz8110fqmyirPxs/APqlgLXMfeNgCDpc+jrDjCyGmT93D5jVDJ0OtzGg6AYLJkGT nyFln9NfoScnpCcEXUZ1mCD1bGyIm6YCnIJLJWGRpVdpWo7eKgMEFg== =FcUr -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
>It is what they are doing. I am an unhappy (for many reasons) regular (for many >other reasons) Gogo customer, and noticed pretty quickly when they started >doing >it. I looked at their certs and it's an awful-user-experience way of blocking >videos, and I strongly suspect that the rotten user experience is the intent. Do the fake certs validate in web browsers? If so, who's giving them fake *.google.com certs? R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
On Thu, Jan 8, 2015 at 6:35 PM, Jon Callas wrote: > > Well, I'll be. I am on a Gogo-enabled flight even as we squeak, and I just > turned my VPN off to go get you one of their certs. They're letting me get > to YouTube and Vimeo just fine now. I guess someone got some sense. It was > pretty hamfisted and really just reminded me to turn on my VPN. > I've been on several Gogo flights recently (before and after this came up) and not noticed any SSL interception. Maybe they're only doing it on some flights/flights that have the latest version. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Jan 8, 2015, at 3:37 PM, John Levine wrote: > > Do the fake certs validate in web browsers? No, they do not validate. If you go (went) to a Youtube, Vimeo, etc. site, URL, embedded whatever, you'd get the expected browser cert failure error. > If so, who's giving them fake > *.google.com certs? I apologize for being a smartass on this, especially since the premise of your conditional is false. But I just can't resist; please take this with the humor I offer it with: https://www.google.com/search?q=how+do+I+use+openssl+to+generate+a+certificate Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.3.0 (Build 9060) Charset: us-ascii wsBVAwUBVK8ZcvD9H+HfsTZWAQhklQf+PFg6a0O6ap3ewKH4hLMz2vGaoDC3d+Ye HN5LYlvjdQsHqYgizc9QFHdT0/y9ZdWcpS99heaUeYPaGsMxoEId+WfCMfpUj6UD 683KSegfPq+lGev3MHaX6t0Eq0j+VojFuBdRHQ3HyRrnuNgT8yxfs9jnpQS/2AKh EBbuxS4hB5Ar8pwJdHTjgxjjqqLif0ouhL+GFsWUbAq6RsEIVowcoSNXqzgeRPkr 1b25hk2MlebkZssr7L6PGfNKr6cpDccUCjIdXBBMsG/C7ZLg5W0oqQCiirsOYOk6 Kt2gKL/cDDEezdcbSn9cFtklI35RLXJoM3Oty/iEVzXYuibaHcyqiQ== =6PT0 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
