When I travel, I use a VPN whenever I connect to any network. Frankly, I don’t trust people I don’t know to protect my information or respect my privacy. Ironically, this seems to be a controversial viewpoint these days.
So let me re-frame the arguments for encrypting everything all the time.
Proper Behavior
At a very high level, the Internet works with a simple set of verbs for doing things and status codes to indicate the relative success of communications. When you request a web page, for example, you send a GET request (verb) to a web server. If everything’s OK, the server sends back the page with a 200 status code. If the page has moved, the server sends back a 300 status code and instructions on where to find the new location.
If a user makes a mistake – requesting a secure page without security, requesting a page that doesn’t exist, etc. – the server responds with a 400 status code to indicate the error (and usually a helpful page explaining what happened and how to fix it). If the server makes a mistake, it sends out a 500 status code and some instructions on how to contact support.
I’m skipping over a bunch of details here, but the key point is that the Internet works based on much of the above information. Applications (not just your browser) use the standard verbs to request, create, delete, update, and verify information. They also depend on servers communicating back the right status code so they know how to behave.
Poor Behavior
When a developer builds an application, they treat these communication standards as a contract. Just like while driving down the street you expect drivers you’ve never met to obey stop lights and speed zones, developers expect servers they’ve never met to obey the same contract as the rest of the Internet.
But sometimes, a provider doesn’t follow the rules.
While working with Vagrant today, I ran into an issue. My automation scripts run on boot to make sure my virtual machine is up-to-date and attempts to verify certain application keys with an Ubuntu keyserver before proceeding. My tools expect that these keys are non-existent: they expect the request to result in a 404 Not Found error from the server.
While flying to Boston, my tools failed.
As it turns out, the GoGo Inflight Internet tries to be a bit too helpful and breaks the contract my application expected the Internet to follow. My tools expected to see:
HTTP/1.1 404 Not Found
Date: Fri, 21 Aug 2015 16:14:09 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Instead, they saw:
HTTP/1.0 302 Moved Temporarily
Server: squid/3.1.20
Mime-Version: 1.0
Date: Fri, 21 Aug 2015 16:13:21 GMT
Content-Type: text/html
Content-Length: 0
Location: http://airborne.gogoinflight.com/abp/squidError.do
X-Squid-Error: 403 Access Denied
X-Cache: MISS from 172.19.134.2
X-Cache-Lookup: MISS from 172.19.134.2:3128
Via: 1.0 172.19.134.2 (squid/3.1.20)
Connection: keep-alive
GoGo Inflight is using a transparent proxy to intercept, inspect, and process all traffic being sent from the airplane. On the one hand, this means they can return custom error pages like the one above in an attempt to “help” customers find the right information.
On the other hand, it means they make it impossible for developers to know what to expect when our customers are using our tools over their network connection. My tools expect a 404 error. GoGo Inflight thinks it knows better and, rather than returning the 404 as expected, redirects the user to a separate page that, in turn, sends a 200 OK status code.
Beyond Contracts
This is hugely detrimental to the proper behavior of the Internet, but it also goes much deeper than that. In order to capture 404 errors and return custom error pages, GoGo Inflight needs to inspect every piece of content traversing the network!
Again, I highly advise using a VPN whenever you travel (i.e. are not connected to a trusted network over a hardline). When it comes to airlines, though, that’s not always an option. I have an AnyConnect VPN, an OpenVPN, and an IP2Sec connection available – none of them work over GoGo Inflight’s network. This means the only traffic I can send securely while in the air is over SSL-protected connections.
I’m disappointed that the endpoints my tools use are HTTP and not HTTPS, but thanks to endeavors like HTTPS Everywhere, some day soon they might be properly secure. It’s not a matter of just ensuring that our tools work properly and that the Internet follows the contract we expect it to. Having secure connections everywhere means we can use these tools and the Internet in general safe in the knowledge that no one is eavesdropping on or interfering with our communications.
Even when intentions are honorable – I have no doubt GoGo Inflight is trying to be a helpful vendor here – any sort of interference in network communications is dangerous.