If you have used Gogo in the past, it is worth considering that all of your communications, including those over SSL/TLS, have been compromised and that you should consider resetting your passwords
That kind of depends on whether you accepted the cert, no? I guess if you didn’t accept the cert there wouldn’t have been any communications to compromise, but it sounds like the cert was only being presented for video sites?
I’m sure by tomorrow some news site will be running a story about how everyone who’s ever flown on a gogo flight has had their identity stolen.
Just to head off one comment that’s often seen about this story… I’ll leave aside for a moment whether the MITM is desirable (I think it’s terrible, but I can see Very Serious Business rationales for it).
If you can convince the user to get their OS to trust your CA cert, e.g. by having them install “client” software, or (FSM forfend) or by convincing browsers/TLS client libraries to include you in their default trust store, then issuing certs for domains you don’t actually control is the only way to get past hostname verification and make the whole attack seamless.
For some reason when I read the headline my brain jumped immediately to TURKTRUST/ANSSI/DigiNotar. At least that’s not the case. I wonder how many people clicked past the big “don’t do this” warning in their browser. Hopefully not many.
This story seems more than a little overwrought.
That kind of depends on whether you accepted the cert, no? I guess if you didn’t accept the cert there wouldn’t have been any communications to compromise, but it sounds like the cert was only being presented for video sites?
I’m sure by tomorrow some news site will be running a story about how everyone who’s ever flown on a gogo flight has had their identity stolen.
Just to head off one comment that’s often seen about this story… I’ll leave aside for a moment whether the MITM is desirable (I think it’s terrible, but I can see Very Serious Business rationales for it).
If you can convince the user to get their OS to trust your CA cert, e.g. by having them install “client” software, or (FSM forfend) or by convincing browsers/TLS client libraries to include you in their default trust store, then issuing certs for domains you don’t actually control is the only way to get past hostname verification and make the whole attack seamless.
Gogo’s response: it’s about blocking streaming video sites.
For some reason when I read the headline my brain jumped immediately to TURKTRUST/ANSSI/DigiNotar. At least that’s not the case. I wonder how many people clicked past the big “don’t do this” warning in their browser. Hopefully not many.