Reporter Steven Petrow published a scary first-hand tale in USA Today, claiming that his email was hacked by another passenger on a Gogo-enabled flight. The implication was that you shouldn’t use email on Gogo unless you’re using a VPN.
But Petrow’s email didn’t get intercepted because of some flaw with Gogo. It got intercepted because he wasn’t connecting to the POP or SMTP servers via SSL. In fact, his email provider, Earthlink, doesn’t even support SSL for email.
Robert Graham at Errata Security explains:
Early Internet stuff wasn’t encrypted, because encryption was
hard, and it was hard for bad guys to tap into wires to eavesdrop.
Now, with open WiFi hotspots at Starbucks or on the airplane, it’s
easy for hackers to eavesdrop on your network traffic.
Simultaneously, encryption has become a lot easier. All new
companies, those still fighting to acquire new customers, have
thus upgraded their infrastructure to support encryption. Stagnant
old companies, who are just milking their customers for profits,
haven’t upgraded their infrastructure.
You see this in the picture below. Earthlink supports older
un-encrypted “POP3” (for fetching email from the server), but not
the new encrypted POP3 over SSL. Conversely, GMail doesn’t support
the older un-encrypted stuff (even if you wanted it to), but only
the newer encrypted version.
Gogo is far from perfect, but it certainly wasn’t at fault in this case.
Update: Like a lot of you, I’m not even sure I buy the whole story. Whole thing seems fishy.
★ Friday, 26 February 2016