Certificate Transparency[1], a public log that makes maliciously issued certificates easier to detect, will roll out in Chrome [for EVs to begin with] this spring. FF will probably follow.
It doesn't solve all CA problems, but it does soothe some.
This post assumes that GoGo are doing a MITM simply to block YouTube in order to prevent their network from being congested. My assumptions would be that
1) GoGo are blocking youtube in favor of their in-flight paid media services not just for badwidth
2) GoGo's MITM attack has little to do with media content but rather more about being able to read all the communications of passengers for "national security" purposes.
If they are decrypting and logging your traffic (including passwords) and communications, then I assume their scheme can be defeated by a VPN. If you want to send intimate messages to your lover, or discuss a political protest while in flight, without some nosy GoGo employee reading it, then probably using OTR (like Cryptocat or pidgin/adium), PGP (like mailvelope, enigmail), and ZRTP (Redphone/Signal) are a pretty good idea.
But there's no evidence that either of your assumptions is true. Gogo has said publicly[1] that they're trying to "shape bandwidth" to YouTube and other streaming sites. Let's not spread conspiracy theories about "national security" on HN when the truth about the NSA's domestic surveillance hijinks is disturbing enough.
I say this even though I've criticized Gogo[2] and suggested ways in which they may be legally liable as a result of their fake *.google.com cert.
For those who may not be familiar with his work, David Reed, the author of the linked post, helped with the early development of what would become the modern Internet. That includes UDP and IP signaling, which is one reason (I believe) he won an ACM hall of fame award.
"In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests"
"Although FCC rules “do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA…,” Hastings noted, “[n]evertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.”"
The Snowden documents explicitly point to heavy effort going into monitoring internet use by passengers on airplanes, including using information about connecting flights to connect passengers to MAC addresses. It wouldn't surprise me in the least if they were doing a bit of work to make sure that the actual content is readable. It's barely a conspiracy theory.
Why would Gogo need to MITM YouTube to shape traffic? Can't they just cap each passenger's traffic, regardless of the website or whether it is encrypted?
Fair point. It's most likely nothing nefarious, but who knows, maybe they log everything and will one day face a data breach like Sony? Maybe they data mine it?
IRL if somebody intercepted all of your mail, opened the envelope and then put your private letters and bank statements in their own envelope to re-send it, then told you they were doing this to shape postage traffic because they physically cannot handle certain kinds of packages to your location, then you can both A) Believe them that they cannot handle such packages and B) worry about what goes on during the process of opening and repackaging your mail. You don't know the employees doing the repackaging and what if one of them moonlights as a thief. The post was about A, my response was about B. Sorry if it's off topic but you can and should take steps to protect yourself without interfering with their bandwidth shaping.
1) They are not blocking (completely) Youtube. But still plausible.
2) Then why would they be doing it only on video streaming websites? [1] Also, if they are so obvious about their methods from now on, one nice thing is that we won't need whistleblowers anymore.
As a frequent user of in-flight internet, I can tell you their login page has a big reminder saying that streaming video is not supported and giving examples like Netflix and HBO Go.
The technical reason -- which is sound -- is that there's not enough bandwidth between plane/ground.
Strictly speaking, GoGo's service isn't capable of handling streaming, but it's not clear to what extent bandwidth is the limiting factor. Really bad bufferbloat does horrible things to goodput. With proper QoS, it's likely that they could sustain at least one or two low-resolution YouTube streams, just not a whole plane full. Terrestrial ISP's can't handle everyone watching video at the same time, either.
Jim Gettys reported on the CeroWrt-devel list that he tried to benchmark the in-flight Internet connection on a United flight to Hawaii last November, and it apparently crashed the connection. The routers and accompanying software being used for these systems are probably of exceedingly low quality.
I would expect that even if it wasn't mentioned, I mean it's a freaking internet access in a fast moving object 30,000 feet above ground! I don't like what Gogo just did, but kudos for undertaking this challenge. barnaby mentioned they have in-flight paid media services, of what sort/diversity/quality? I suppose it's a selection of movies stored on a server in the plane.
Yes, in-flight streaming services tend to have a bunch of stuff on a little server on-board, and the in-cabin routers can more than handle that. It's the plane<->ground link that's the chokepoint; on a lot of planes that bandwidth isn't much better (and sometimes worse) than a 4G cellular link, but shared among everyone on board.
2.) Makes a lot of sense. I think it is the most likely explanation for the MitM.
1.) GoGo doesn't need MitM on video streaming to aid in law enforcement, but it's an opportune time to mention that video streaming has been a target of the intelligence apparatus as recruiting videos and indictments of US imperialist activity is condemned there (for example Al-Awlaki's videos were censored from youtube for being seditious; to give context here Al-Awlaki was a US citizen assassinated without a trial and is one of four American citizens killed by drone strikes - while never engaging in violent actions himself he was given the moniker 'The Osama Bin Laden of the Internet' for his recruiting efforts). Another relationship video streaming services have with intelligence efforts is that logins and cookies (associated with Google Accounts in the case of Google) are good identifiers. In this case a MAC address could be associated with online accounts (I'm not saying this is done).
I think its (probably) wrong to kill US citizens without trial. I won't use the word "assassinate" since it perhaps dignifies the action too much. Also I highly respect John McCain's position against torture, aka "enhanced interrogation".
However, the US isn't fighting against opponents who are playing by Marquess of Queensberry Rules. And the average American is willing to descend a little way down a "slippery slope". To quote a White House official:[1]
"If Anwar al-Awlaki is your poster boy
for why we shouldn't do drone strikes,
good fucking luck."
Yeah, sometimes right and wrong isn't completely black and white. There are shades of gray. There is a dark side that tries to seduce everyone.
Interesting quote and a good article by Michael Hastings (before his mysterious death) for those interested in the controversial subject of drone strikes. Thanks for the link!
Given the use of the quote in the article to cast the CIA as dismissive of Constitutionality and of fundamental human rights would you say that you diverge from Hastings in your understanding (i.e. the CIA are 'right'?). I might be: I'm much more upset at the death of 76 children and 29 adult bystanders accidentally (?) killed while trying to target Ayman al Zawahiri (who is still reportedly at large) or in general the estimated 28:1 ratio of untargetted causualties to successful targets (themselves suspect in international law). Then again, even while Anwar al-Awlaki was no cupcake if his case were applied as a standard of justice in America any true sense or illusion of justice in the legal system we have would be lost.
There are many people who feel that the large amount of collateral damage from drones only inflames people against us. There's a lot of truth in that. But still, take the case of Bin Laden. He was living down the block from Pakistan's West Point. It seems logical to conclude that quite a few important people in Pakistan knew he was there.
So maybe it doesn't matter? Maybe the additional people we are alienating already hated us before we greatly increased the number of drone strikes?
Aside: the cynical me would bet even money that 95% of the 3rd world people who profess to "hate" us would jump at the chance to immigrate to the USA.
As for "justice", in order to remain happy living in the USA I have to believe that, overall, this country is basically good, that we're perhaps the best country in the world in terms of allowing people "Life, Liberty and the pursuit of Happiness". I do believe that.
I'll leave you with the title of a book that was published about 19 years ago:[1]
Pick a Better Country:
An Unassuming Colored Guy
Speaks His Mind about America
Ken Hamblin's basic point in that book is that we might not be perfect, but it's hard to find a country that, overall, is better than the United States of America.
While I'm not likely to agree with most of the speculation here, you might find me agree that there are much, much worse places in the world than America. We are lucky to have inherited this wealth that America has.
America is extremely wealthy (it is 4% of the world population and has 25% of global wealth). With great prosperity and opportunity the conditions are laid for great freedoms. This is nearly universal. The contention for the means to survive and thrive creates strife that interrupts peace, and furthermore muddling (as was laid around the 'third' world by imperialists and globalists and proxy war - in the Middle East by Sykes-Picot, Palestine by British Mandate, Korea by General Order 1, Vietnam, Malaysia, Laos, Cuba, and Tibet all by proxy war, Africa, Philippines, countless others by colonialism) exacerbate this strife.
America did not merely innovate herself to her prosperity. Nor is 95% of the third world to blame for their poverty.
I also would bet that 95% of slaves, who would have professed to 'hate' their masters, would have jumped at the chance to become one. The two need not mutually exclusive.
America is blessed to have been culturally couched on the opportunity to steal an unstripped continent through the marginalization and genocide of millions of established native peoples, outsource the labor of its major national products to an enslaved race of kidnapped peoples and separated families up until (and to large degree after) industrialization, to have been a war profiteer of two of the world's most deadly wars (and used this leverage to establish itself as the primary gold lender of the world), and to have established itself as the world's primary protector by being the only country to have used a nuclear bomb against a civilian population and by banning the development of such weapons by others, and today by pulling strings around the world to engineer its own success.
Thank you for the Ken Hamblin book. It's now on my queue. I'll trade for a quote from a speech by Mr. President John Quincy Adams:
"She has, in the lapse of nearly half a century, without a single exception, respected the independence of other nations, while asserting and maintaining her own. She has abstained from interference in the concerns of others, even when the conflict has been for principles to which she clings, as to the last vital drop that visits the heart. She has seen that probably for centuries to come, all the contests of that Aceldama, the European World, will be contests between inveterate power, and emerging right.
Wherever the standard of freedom and independence has been or shall be unfurled, there will her heart, her benedictions and her prayers be. But she goes not abroad in search of monsters to destroy. She is the well-wisher to the freedom and independence of all. She is the champion and vindicator only of her own. She will recommend the general cause, by the countenance of her voice, and the benignant sympathy of her example."
It's commonplace for savvy users to never trust the DHCP-provided DNS servers, and DNSSEC is available to detect when responses from your trusted DNS server are being hijacked and replaced with lies.
DNSSEC protects against the hard to detect forms of DNS fraud. A SERVFAIL or ignored query already makes it completely obvious that your DNS server isn't behaving, and if you're trying to use an otherwise-reliable DNS server, it's a major red flag that the network is working against you. What DNSSEC protects against is a DNS server returning information that it wants you to think is valid; a SERVFAIL is never going to look like the right response.
There's a lot more than just censorship that can be accomplished by messing with DNS responses, and censorship done solely through DNS is actually pretty half-assed censorship.
Right, but the comment that prompted this sub-thread was:
> Can't GoGo just "blacklist" streaming sites at a DNS level and deal with the problem before a connection is even made to a high-bandwith destination ?
Clearly the word here is "censorship." Or if you prefer, "blocking," which doesn't have a politial connotation. DNSSEC was then proposed as a countermeasure to this blocking, and I showed why it's not a countermeasure.
DNSCrypt would be more effective here because it's encrypted.
DNSCrypt on its own accomplishes nothing. What you're really saying is to use DNSCrypt and configure it to masquerade its traffic by not using port 53 so that it's less likely to be blocked. Without using a non-standard port, the results for DNSCrypt will be the same as from DNSSEC: an error in trying to look up the domain, which is identifiable as being different from an error trying to access the server pointed to by the DNS record.
You don't need DNSCrypt to be able to do DNS lookups on a non-standard port. DNSCrypt just happens to offer a list of a few servers that respond (using their protocol) on non-standard ports. The list is short enough (16 IPs to block!) that it could easily be included in the malicious gateway's firewall rules, rendering DNSCrypt useless for working around the blocking and still less useful than DNSSEC for deducing the nature of the interference.
I think you've misunderstood what whyleyc wrote above. OP asked why GoGo doesn't just "blacklist" ie censor the mentioned sites via DNS, explicitly excluding a MITM attack:
> Why are they even pulling this MITM trick in the first place ?
> Can't GoGo just "blacklist" streaming sites at a DNS level and deal with the problem before a connection is even made to a high-bandwith destination ?
So no MITM, just GFW of China style blocking. Which is trivial for unencrypted packets like DNSSEC. Observe, by the way, that China supports DNSSEC -- it's not a problem for them!
And it wouldn't be a problem for GoGo, either, because DNSSEC is not encrypted and blacklisted sites can be dropped on the floor. Or GoGo could trivially return SERVFAIL. But the whole thing is moot anyway because youtube.com doesn't support DNSSEC and probably never will.
Blocking DNSCrypt entirely and forcing a fallback to the approved (censored) DNS servers is still not any harder to accomplish than censoring unencrypted DNS with or without DNSSEC. DNSCrypt as it currently exists is not any more censorship-resistant except where it is completely unknown to the censoring party. The only real security (against censorship) that it offers is security through obscurity, so saying that DNSSEC's problem is a lack of encryption is complete bullshit.
The TTL on the A record for youtube.com is 5 mins though, so a "well-behaved" client would likely need to re-query the DNS.
You could just edit your local hosts file to circumvent that but you'd have to then have entries for the myriad of streaming servers that YouTube uses to deliver videos.
What we need is not "HTTPS Everywhere" (which I sometimes call "Security Theater Everywhere") for static content. We need content signing without encryption for bulky content. The W3C proposal for this is called "Subresource integrity" (http://www.w3.org/TR/SRI/). The "integrity" attribute is applied to links, like this:
This also applies to IMG, EMBED, LINK, etc - any content.
This is a huge win for caching systems. Any cache in the path from browser to server, seeing that, can use a cached version of the content. Because cache content validity is defined by the sha256 hash, there's no cache expiration time issue. You can load JQuery once and use it all week. Caching systems can even index their cache by hash, and deliver data loaded from a different site. What a cache cannot do is change even one bit of the content. Such data tampering will be caught by the browser. (W3C is trying to figure out what to do about streaming data.)
As for "bufferbloat", that's usually mis-identifying the problem. The real problem is usually bad queue ordering at a choke-point router. FIFO queuing at a choke point will not work well. At a router where there's significantly less outgoing bandwidth than incoming bandwidth, you need some kind of fair queuing, so that big flows don't starve out little ones. Most Cisco routers support that. On the other hand, there's nothing wrong with buffering up lots of content for a single flow if you have the space. If you're loading a big image or a video stream, temporarily stashing a full TCP window of it in the router is just fine. It will be delivered and will play out eventually.
Ideally, you'd like full fair queuing, but it's somewhat computationally expensive. There are approximations to fair queuing that work reasonably well, and are being designed into DOCSIS cable routers. See (http://people.cs.clemson.edu/~jmarty/AQM/AQM-DOCSIS.pdf)
If you're using expensive bandwidth like a satellite channel to an aircraft, you definitely need something smarter than FIFO.
After looking at what GoGo is doing, it seems that all they really want to do is just block YouTube. The problem is telling the user what they're doing, so they don't bitch at the flight attendants. Technically, they should send back an ICMP Type 3 message, "Destination Unreachable" with code 10 (Communication with Destination Host Administratively Prohibited) or code 13 (Communication Administratively Prohibited by Filtering). But that info won't make it up to the browser in either Windows or Linux. About the best you can get through to the client program is a "Host Unreachable" error code.
So, in the style of most web intermediates, they're trying to do this at the HTTP level. Which doesn't work well for HTTPS requests. One of the annoying features of HTTPS is that there's no standard way for a site to say "I don't speak HTTPS". I run a crawler, and responses to HTTPS requests include timing out, sending non-HTTPS data confusing the SSL/TLS layer, and refusing to open a TCP connection.
About the most legit thing they might do is open an HTTPS connection using a cert signed for a domain name such as "YOUTUBE-IS-BLOCKED-BECAUSE-YOU-ARE-ON-AN-AIRPLANE.NET". The HTTPS open will fail due to domain mismatch, and the browser popup will have some useful info. If the user actually lets the connection open, they can be given a page on why satellite links don't have enough bandwidth to let everyone on a plane watch cat videos.
Docsis 3.1 is not using FQ, but the pie AQM. And it hasn't shipped yet.
In the interim, fq_codel (which combines fq and aqm) now dominates the field of 3rd party firmware and home routers. It turns out that FQ nor AQM are computationally intense anymore, but software rate limiting, is.
It doesn't solve all CA problems, but it does soothe some.
[1] http://www.certificate-transparency.org/