Apologies to Jimmy Durante but everyone, it seems, is waging man-in-the-middle attacks. The latest perpetrator is the provider of in-flight WiFi, Gogo. Google security engineer Adrienne Porter Felt, while on a flight, discovered that Gogo was serving up fake SSL certificates that claimed to be from Google.
Unlike the SuperFish exploit, Gogo couldn’t put a fake root CA certificate on their users’ laptops so those users got a warning that the Google certificate was not signed by a trusted issuer. Of course many users don’t understand any of that stuff and just click OK. Once they do, Gogo can read their HTTPS conversations.
Gogo’s excuse is that there is very limited total bandwidth available for everyone on the plane so they want to prevent users from streaming video from YouTube, which is prohibited by their terms of service. That’s reasonable. What’s not reasonable is staging a man-in-the-middle attack on their users to enforce that prohibition. Add in what some describe as Gogo’s over solicitous cooperation with law enforcement and you can see why privacy advocates are concerned.
Really, this behavior should be illegal. Arguably, it already is but it needs to be made explicit: break into an HTTPS connection and you get treated just like any other cracker regardless of your reasons. In the mean time, spread the word: Never continue with a connection that your browser warns is questionable.