Gogo Issues Fake HTTPS Certificates

A number of publications, including Ars Technica, have reported that Gogo is issuing fake HTTPS certificates to users visiting YouTube. HTTPS, when properly used, assures users that:

1. They are actually visiting the real site; Youtube in this case.

2. The communications between the visitor and the site, including passwords and cookies, are encrypted.

Ars Technica shows a screenshot of the fake certificate. It clearly shows that the issuer is Gogo rather than a Certificate Authority (CA) that the browser trusts; hence, the pop-up warning. Unfortunately, many users who are used to clicking past license agreements when using a public Wi-Fi hotspot will likely simply click “OK” so they can continue with their YouTube experience.

Here is a screenshot of the actual YouTube certificate:

Youtube SSL certificate

Is this the first time fake HTTPS certificates have been used for bandwidth-related purposes? Nope. Nokia did the same thing in 2013. GRC mentioned that incident and provides a technical explanation if you are interested in the details of how it works. But I think it was important then, and it remains important now. I think it is a serious problem when your only option to avoid this kind of proxying is to stop using a provider’s service altogether. We deserve and should expect better.

In response to the recent incident, Gogo issued a statement explaining that they proxy certain traffic to limit/block video streaming and that they don’t actually collect user information. By issuing its own certificate for YouTube, Gogo is basically asking you to trust that they aren’t doing anything untoward rather than relying on the mathematical strength of HTTPS. The company has decided that breaking HTTP’s security is worthwhile if it helps them achieve their stated goal of limiting a specific type of bandwidth usage.

To find out what Chari meant by their “video streaming policy,” I looked at their terms of use. I found the following line:

Given the limited bandwidth available from and to the plane, Gogo sets limits on your use of the Service for certain applications to ensure the best performance for the most users.

Unfortunately, this vague statement about limits does not specify how they set limits on use of their service. I also found the following line:

SSL-encrypted websites or pages, typically indicated by “https” in the address field and a “lock” icon, can also generally be securely accessed through the Service.

I found this statement extremely misleading. The word “generally” is cunningly thrown in, but there is no mention of any possible exceptions or an explanation of what “securely accessed” means in those cases. Based on this recent incident, it seems to mean “Gogo acts as a proxy in those exceptions, so the security of the connection in those cases depends completely on you trusting us.”

Nowhere in the terms of use could I find any mention that they reserve the right to issue their own certificates for HTTPS sites for the purpose of limiting video streaming.

From the perspective of security, Ars Technica is essentially correct that Gogo has set a terrible precedent, though I would argue that they are merely exacerbating a problem that already exists. In addition, the company isn’t very open about their policies. Although they could argue that they technically didn’t breach their terms of use, the true meaning of the vague passages that I quoted doesn’t become clear until the CTO released his statement.

Assuming Gogo is telling the truth about why it’s breaking HTTPS, is all this really necessary? Surely there are better ways to ensure that customers don’t use too much bandwidth without having to resort to drastic measures that could hurt the trust customers have placed the company. For example, they could simply cap all bandwidth instead of resorting to proxying to break HTTPS. Presumably, Gogo is worried about all excessive bandwidth usage rather than just video streaming. Setting limits without regard to how the limit is reached would allow them to more easily fulfill their stated goal of ensuring the best performance for most users while also respecting the security of HTTPS connections.

Leave a Reply

Your email address will not be published. Required fields are marked *