SquareLemon Blog

mitm at 30,000 feet

In the past week I have seen a few mentions on twitter regarding Gogo Air presenting fake SSL certs for YouTube to users of their in air Internet access service:

I started to wonder if they were using the same technique that I had recently been researching and discussing in my Corporation in The Middle talk. Luckily for me, my friend Benjammingh was one of those who noticed and was currently on a Gogo flight, so I asked him to take a packetdump for analysis.

The short summary is that this is not the same technique, in fact this looks like in-flight transparent proxying….

For one thing there is this giveaway in the http response header:

    X-Cache: MISS from
    X-Cache-Lookup: MISS from
    Via: 1.0 (squid/2.6.STABLE14)

This is indeed squid, quite an old install of squid, on the default port.

Secondly, the TTL on all the packets was 64. Now, most OS’s tend to use round numbers for default TTL values (32, 64, 128). Assuming this to be the case, this would indicate that either YouTube is exactly 64 hops away or the packets are originating from the local network segment, which would be consistent with a local (transparent) proxy.
It’s hardly an in-depth analysis, but at this point it seems to be more than we have at the minute, and it would explain how they are Man in The Middle’ing the connection, the question still remains…. why?