
Gogo injects false SSL certificates for google.com domains - guanche
https://twitter.com/__apf__/status/551083956326920192/photo/1
======
furyg3
Captive portals really need to die. Fake DNS entries, URL redirects, injected
html/javascript, false certificates, all are very annoying essentially train
users on bad behavior, and provide opportunities for nefarious actors (either
by the hotspot provider themselves or attackers spoofing hotspots)

Plus the user experience is awful, sometimes when I join a network the portal
shows up immediately, sometimes I only get it when I open a browser. Sometimes
I open my mail first and get 10 error messages about incorrect certificates.

Is there any good alternative / standard that could serve the purpose without
all of the current drawbacks?

~~~
diafygi
Captive portals are fine if you use a VPN. When I go on a flight, I visit a
non-https site, get redirected to the WiFi login-or-pay, pay, and then connect
to my VPN. All traffic after that (to the airline) is encrypted. Plus,
airlines would never start blocking VPNs because you would lose all of your
business customers.

~~~
pdkl95
Captive portals need to die not because of any technical reason - they have
the same problem as the "UAC" pop-up showing up far-too-frequently: it teaches
people to ignore what should be a serious security warning. A SSL certificate
suddenly changing to a strange new signing authority is the kind of problem
that _should_ be a serious warning. By _de facto_ teaching that it is ever
valid to ignore important security measures, captive portals badly hurt the
real education that needs to happen about how to handle computer security.

Worse, this is another example of where laziness and convenience tend to
promote these bad habits. Never-mind the average user - way too many technical
people[1] fall into these bad habits - including programmers and sysadmins
that _really_ should know better. This isn't just WWW/HTTPS - did you always
use a VPN? With a properly secure login that you know does not involve a MitM?

[1] I mean in the general, statistical sense - any resemblance to people
posing in this thread is an unintended coincidence.

> never start blocking VPN

That's easy - you just push PKI (alreadyd used in many places) and make up
some excuse why this new version is needed for "airplane security". We live in
an age where airlines (w/ the TSA/.gov) make a big deal about confiscating
water bottles and regularly steal from luggage; do you really expect "business
customers" to get angry over VPNs while allowing the past decade of security
theater?

~~~
mikecb
Maybe certificate pinning needs to include being able to forbid clicking
through a warning. WiFi services would change their methods fast if they got
sudden drop in users.

------
stubborndude
Random guess - this is probably because many people have a their homepage as a
SSL'd google site. In order to be able to show the "login or pay" message to
someone when they fire up their browser, Gogo needs to have a cert to
communicate over 443 without the browser refusing to display a page.

Not condoning the practice, but thats my guess at the motivation. I also
imagine it doesn't work very well, as many new browsers will refuse to display
if the cert chain is broken.

~~~
jkot
My samsung tablet is aware of login and opens browser after it connects to
wireless network.

My guess is caching (thats in airplane).

~~~
ceejayoz
Apple does the same thing (apparently they request
[https://www.apple.com/library/test/success.html](https://www.apple.com/library/test/success.html)
and see if it returns the correct SSL and contents).

------
Kliment
I wonder if it's related to this workaround that allowed access to some Google
IPs to bypass the captive portal, which someone managed to then use to access
app engine, and a proxy running there to reach the entire internet:
[http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-
inte...](http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-
authentication/)

quote from that article:

"There is, of course, one other possible solution: Gogo could man-in-the-
middle the desired Google web services in order to perform filtering on the
HTTP host header. However, this approach could have unforeseen consequences.
Therefore, I do not recommend it."

~~~
HackinOut
Well they would be facing the _unforeseen consequences_ while not even
filtering the HTTP host header (the youtube page is displayed). Unless they
_forgot_ to disable the MITM once the user is granted full internet access...

EDIT: Those are two nice insights about what Gogo does behind the scene, but I
would bet the fact Google is involved with both is a coincidence (or is it
considering the multiplicity of Google's Services?)

------
HackinOut
According to tweet author[1], this happened only with Youtube, and was not
related to captive portal mechanism whatsoever. So I would side with her on
the why: Poor plane internet access was overloaded by videos streamed from
Youtube and somebody hacked together a very ugly solution that's going to have
bad consequences...

[1]
[https://twitter.com/__apf__/status/551132865555996673](https://twitter.com/__apf__/status/551132865555996673)

[https://twitter.com/__apf__/status/551096550516994048](https://twitter.com/__apf__/status/551096550516994048)

~~~
persona
Correct! I've checked and it's also doing it for Vimeo, DailyMotion and
probably other video sites.

------
jessaustin
This is a mistake on Gogo's part. I can't think of anything legitimate they
could do using this that they couldn't also do in a more reasonable way. The
illegitimate things they could conceivably do with this (if they wanted to do,
which seems unlikely), they can't do reliably or without getting quickly
discovered. A lot of people are going to see the pinned browser warning and
wonder what's up.

Of course, that this is a mistake doesn't mean it will be corrected soon, so
VPN is probably the way to go, which maybe it is anyway.

EDIT: perhaps this is intended to plug the hole mentioned here:
[http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-
inte...](http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-
authentication/) That really should be only applicable to people who haven't
paid, however.

------
tzs
I wonder if there is any trademark/service mark issue here? They are issuing a
certificate that identifies itself as Google's, but it is not.

Note that if Google sued over this, Gogo would not be able to use anything in
its TOS as a defense, because the TOS is between Gogo and its users, not
between Gogo and Google.

------
rip747
that funniest thing is the comment from David Aronchick about midway down:

"@__apf__ i love that people are trying to explain to you what's going on - do
you folks know who she is? :)"

So I'm like, who is this girl? I've never heard her? What's the big deal with
people taking guesses about what is going on?

Then I check her profile on twitter:

Engineer & usable security researcher. Google Chrome security team.

Yep... sometimes when you throw your two cents in, you get hit in the head
with a quarter.

------
njloof
This is SOP at many employers that want to snoop use of their private Internet
feed.

~~~
jessaustin
_...SOP at many employers..._

That's true, and I can't believe we _still_ haven't seen someone suing an
employer over leaked personal banking creds. Many firms just have the proxy
running, and haven't actually thought very hard about what assets (and whose)
that proxy sees.

~~~
acdha
Any such lawsuit would immediately run into the problem that your employer
gives you a computer to work for them, not to conduct your personal online
banking and you'd need to be willing to lose your job banking on that lawsuit
succeeding and generating a large enough settlement to be worth it.

The far more likely grounds for a ruling against a sloppy proxy operator will
come from something like a HIPAA violation or perhaps one of the financial
trading companies.

~~~
dragonwriter
> The far more likely grounds for a ruling against a sloppy proxy operator
> will come from something like a HIPAA violation or perhaps one of the
> financial trading companies.

In general, I don't think a proxy operator would be covered by HIPAA; if
there's any HIPAA issue there, its with the HIPAA covered entity with which
the user is communicating using a communication mechanism vulnerable to an
MITM attack in the first place.

~~~
acdha
That's only true for generic public proxies. In the context we're talking
about, however, it's too easy to imagine a company which has patient records
installing a corporate monitoring proxy but configuring it in some way which
either revealed data to people who shouldn't have it or failed to retain
mandatory records like audit logs. Some places feel corporate proxies are
necessary for compliance auditing but they're enormously risky since you're
creating a single point of failure which has access to almost everything.

------
quentusrex
On gogo wifi right now and I'm not able to replicate the results. After paying
for access I've tested several google services with no certificate
issues(checked with latest Chrome, and openssl's s_client).

I opened another laptop(I travel with two), and without paying I started
testing outbound connections with openssl's s_client and curl. It appears that
the gogo wifi system will allow between 5-10 ssl connections before starting
to block all outbound ssl connections. Without paying all http requests
include a redirect to the captive portal, but at no time did I see a self
signed cert for any of the https connections attempts.

------
ctur
I'm not sure what all of the fuss is about. They didn't somehow obtain a copy
of Google's real certificate; they made a fake one with the same contents, but
not signed by a certificate authority your browser trusts. Your browser erects
the standard "woah wtf" alert. There is a ton of infrastructure built into
your browser to make sure you are aware of this.

I suppose the main reason to be concerned is that, sadly, many people will
click through this; generally, though, they are the same people who will
download random software and install it, join untrusted wifi networks, click
on attachments, etc etc -- in other words, they are already victims of
clicking-before-thinking or clicking-without-understanding.

This is _less_ horrible than silently modifying pages, injecting JavaScript,
etc -- at least you get a warning and can go to a non-ssl page and pay for
your wifi (and then use a VPN if you so desire). It isn't just GoGo that does
this. Various other public WiFi, such as hotels, airports, etc, often do
things like this as well (though usually just to extract payment rather than
selectively block certain sites).

------
iancarroll
I said this on reddit as well: could this just be them trying to block YouTube
and other streaming services?

~~~
RKearney
I doubt this is them trying to block YouTube.

The certificate has SAN entries for things like google-analytics.com,
android.com, *.cloud.google.com, goo.gl, g.co, urchin.com, and a plethora
more[0].

If they wanted to just block YouTube, there are ways to do that without
forging certificates. For example, modern browsers will send the domain name
in plain-text even for HTTPS connections for SNI to function. They could
easily block based on that.

[0] [http://imgur.com/a/C8Tf4](http://imgur.com/a/C8Tf4)

~~~
userbinator
They just cloned the list of SANs in the standard Google certificate, which
YouTube also uses.

Captive WiFi portal (or some sort of traffic-shaping) is likely the right
answer, as the other poster above points out.

Given that the issuer is an internal IP I'm pretty sure they are just proxying
HTTP(S) requests, grabbing the remote certificate, duplicating the subject and
signing it, allowing them to on-the-fly MITM any HTTPS traffic. Trying this
with a different HTTPS site will easily show this, I don't think they're
specifically targeting Google directly.

------
moyix
I noticed this back on Dec 8 [1]. Sadly, looks like I got the wrong twitter
account when trying to report it.

[https://twitter.com/moyix/status/542079755659390976](https://twitter.com/moyix/status/542079755659390976)

------
cnlwsu
Imagine if Gogo gets compromised and that cert is stolen. Suppose it will end
up on a CRL or just quietly replaced?

~~~
cr3ative
It wouldn't matter, the certificate is signed by Gogo so isn't valid by
default on anyone's devices.

------
_red
Seems like someone should instigate a class-action lawsuit against them for
DCMA / HIPPA violations.

~~~
duskwuff
DMCA doesn't apply here; there is no copyrighted media being copied.

HIPAA doesn't apply either; the in-flight wifi carrier is not a health care
provider.

~~~
_red
DMCA is more than copyright....its also about "Anti-circumvention", the idea
that a supposed secure connection being circumvented.

For HIPAA: What happens when you search google for your healthcare issue that
they intercept? Since they have your name (from your credit card info), now
their severs have sensitive healthcare info...are they HIPAA compliant?

------
daxfohl
TSA's influence I'd imagine. Because we all know terrorists like to double-
check their how-to videos on youtube before actually commencing the act.

------
AdmiralAsshat
Could be completely unrelated, but I seem to recall that anyone who bought
certain lines of Chromebooks was supposed to be given 10 free complementary
wifi sessions through Gogo. I wonder if Gogo was given the cert by Google for
that.

~~~
calciphus
If they were, it would be signed by Google, not self-issued by Gogo

