Gogo has been caught issuing a fake digital certificate for YouTube, a practice that in theory could allow the inflight broadband provider to view passwords and other sensitive information exchanged between end users and the Google-owned video service.
Normally, YouTube passwords, authentication cookies, and similar site credentials are securely encrypted using the widely used HTTPS protocols. A public key accompanying YouTube's official HTTPS certificate ensures that only Google can decrypt the traffic. The fake certificate Gogo presents to users trying to access the video site bypasses these protections, making it possible for Gogo to decipher data. It has long been Gogo's policy to block access to streaming sites and other bandwidth-intensive services. A company official said the fake YouTube certificate is used solely to enforce the policy and not to collect data intended for YouTube. Security and privacy advocates criticized the technique anyway, characterizing it as heavy-handed.
The certificate came to light late last week when Adrienne Porter Felt, an engineer in Google's Chrome browser security team, posted a screenshot of the HTTPS certificate Gogo issued her when she visited YouTube. Rather than being signed by a recognized certificate authority, the credential was signed by Gogo itself. In fairness to Gogo, the fake certificate would generate warnings by virtually all modern browsers. Still once users click an OK box, the bogus credential would allow Gogo to decrypt any traffic passing between end users and YouTube.