A Google engineer who connected to in-flight Wi-Fi service Gogo was surprised when she noticed that her browser was using a spoof SSL certificate... for Google.
The engineer, Adrienne Porter Felt, who is a usability security research on the Chrome team, was presented with the fake SSL certificate when attempting to connect to Google's video service YouTube. Felt subsequently posted details about the spoofed certificate on Twitter .
-- Adrienne Porter Felt (@__apf__) January 2, 2015
In a statement on the incident, Gogo said that the incident was down to the company's streaming video policy. "We have stated that we don't support various streaming video sites and utilize several techniques to limit/block video streaming," the statement reads. "One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it."
Spoofing certificates, otherwise known as a man-in-the-middle (MITM) attack, is a trick commonly used by attackers to intercept data being sent between two systems.
While Gogo has denied that user data was collected, by using a spoofed certificate the company bypassed a fundamental protections mechanism. However, a Wired article from April 2014 raised concerns that Gogo's federal wiretap provisions "may be doing more than the law requires."
"According to a letter Gogo submitted to the Federal Communications Commission," the article states, "the company voluntarily exceeded the requirements of the Communications Assistance for Law Enforcement Act, or CALEA, by adding capabilities to its service at the request of law enforcement. The revelation alarms civil liberties groups, which say companies should not be cutting deals with the government that may enhance the ability to monitor or track users."
Gogo provides in-flight Wi-Fi and digital entertainment to many airlines, including Delta, American Airlines, Alaska Airlines, Virgin America, and US Airways using a proprietary air-to-ground network.
Bottom line is that any network that isn't under your control is an untrusted network, and you need to exercise vigilance over things like security certificates. If you are concerned about information leakage then you should consider adding another layer of protection in the form of a VPN connection.
Would I trust a spoofed certificate, no matter how innocent the explanation? In a word, no.