Tech experts are accusing Gogo, a leading provider of in-flight WiFi services for airlines, of compromising the security of fliers' laptops and hand-held devices in its effort to control bandwidth consumption among passengers.
At issue are the security protocol certificates employed by the Internet technology known as Secure Socket Layer (SSL), which verify that a website is what it claims to be and is safe to visit.
A Google engineer who used Gogo to access the Internet on a recent flight sent ripples through the tech world when she tweeted her concerns about the way Gogo implements SSL certificates.
Most service providers pass the user directly to the site, where their browsers check each target site's certificate to determine if it is safe to visit. But instead of following this standard protocol for SSL links, the Google engineer discovered that Gogo is substituting its own SSL certificates for the genuine certificates of at least some of the sites people visit.
After the Google engineer tweeted her concerns, Gogo issued a statement acknowledging the practice but asserted that it was necessary to substitute its own certificates for the originals in order to limit onboard video streaming and thus ensure that all of its airborne customers have access to sufficient bandwidth for less taxing services such as email.
"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure Internet traffic," Gogo's chief technology officer, Anand Chari, said in the statement. "We can assure customers that no user information is being collected when any of these techniques are being used."
Still, both cyber security analysts and leading commenters in the tech media have called Gogo to task for violating what they say has become a universally honored security protocol. PC Mag called Gogo's issuance of its own SSL certificates for sites it does not control "a big no-no in online security," while online gaming news provider Neowin called the practice "extremely unacceptable."
Jerry Hoff, principal security analyst at Web security consultant WhiteHat Security, noted that Gogo's method is not that different from how company-provided computers are set up to monitor employees and their Web traffic.
Still, Hoff said that while Gogo's intentions are likely legitimate, its methods could still pose cyber security problems.
"No matter what the intention, it puts sensitive data at risk," Hoff said.
Gogo provides Internet service on more than 2,000 commercial aircraft operated by more than 10 carriers, including Delta, American and United, and the company, which went public in 2013, continues to grow. Through Sept. 30, Gogo's revenue jumped 27% from a year earlier, to $299.3 million, while its net loss was cut in half, to $60.4 million. Gogo charges passengers anywhere from $5 for one hour of on-board Internet access to $59.95 a month for unlimited onboard WiFi usage.
Neither representatives with American nor United responded to a request for comment from Travel Weekly late last week, while a Delta spokesman referred all questions to Gogo.
JetBlue, the largest U.S. carrier to provide its own onboard Internet service, said its Fly-Fi service doesn't need to issue its own SSL certificates because it provides sufficient bandwidth levels on its aircraft.
"With the most bandwidth in the industry, we don't need to try to block customers from video streaming," JetBlue spokeswoman Tamara Young said.