[cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users

Peter Maxwell peter at allicient.co.uk
Tue Jan 6 11:01:21 EST 2015


On 6 January 2015 at 15:40, Jeffrey Altman <jaltman at secure-endpoints.com>
wrote:

> On 1/5/2015 8:47 PM, John Levine wrote:
> >
> >
> http://venturebeat.com/2015/01/05/gogo-in-flight-internet-says-it-issues-fake-ssl-certificates-to-throttle-video-streaming/
> >
> > They claim they're doing it to throttle video streaming, not to be evil.
> >
> > Am I missing something, or is this stupid?  If they want to throttle
> > user bandwidth (not unreasonable on a plane), they can just do it.
> > The longer a connection is open, the less bandwidth it gets.
>
> I suspect that throttling user bandwidth is not the goal.  Instead they
> are attempting to strip out embedded video from within http streams.
> Since the video stream might be sent over the same tcp connection as
> non-video content they can improve the user's experience by delivering
> all but the video.
>

​So why do they not take a more traditional approach of:

i. blocking obvious video services (YouTube, etc) wholesale;​ and,

ii. limiting sustained bandwidth per user at a level that would frustrate
viewing video anyway.


​​It's somewhat easier to do than intercepting SSL/TLS connections.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150106/41ce65c7/attachment.html>


More information about the cryptography mailing list