I have a friend who did similar tunneling a while ago. It also works on cruise ships.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
Someone was using Xray, proxying to my employer, and it was detected in our attack surface management tool (Censys). I had some quite stressful few minutes before I realised what was going on, "how the hell have our TLS cert leaked to some random VPS hoster in Vietnam!?".
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.
> I have a friend who did similar tunneling a while ago. It also works on cruise ships.
Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.
I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)
They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)
If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.
What does a Starlink installation cost (upfront and ongoing) to service 3000-5000 daily users at expected speeds?
Don't forget to price in the costs of installing and maintaining a WiFi network that works consistently in a metal ship whose interior is composed from prefab metal modules. (Hint: every cabin, every space, has one or more APs).
I haven't done the math, and I'm sure they profit on the offering, but I doubt it's as egregious as these replies make it sound.
(I thought about this a bit when I was on a cruise that offered Starlink this past summer.)
Edit: also don't forget that everyone gets free WiFi, it's just that internet access is restricted for guests who don't pay. So it does need to support the ship's full complement and passengers.
IIRC the cost of Starlink for ships is actually very high. Starts at $5k per month for a commercial vessel I think. Can’t imagine what it is for a passenger ship, but Musk is making his money to be sure.
Ah yeah that makes sense. They have messaging built into their app so you can message friends and family while onboard the ship. I didn't use it - but of course, if they block APNS, messages wouldn't be able to show up on the lock screen.
I bet there some IT team at the cruise line that leaves these back doors in their systems deliberately as an “on-board activity” for their hacker customers.
Hah! Well it worked for me! It kept me entertained for the better part of a day.
I never figured out a way to route internet on my phone through my laptop. But it was probably for the best. It was lovely spending a few weeks with no internet connection on my phone, in arms reach away at all times.
The modern cruise ship techie Internet solution is a starlink mini. The cost of the dish plus service and a middle finger to the cruise ship company that your family dragged you on is worth more than the number of dollars it cost to go on the cruise. (The alternative, having a healthy family dynamic, is a whole other can of worms.)
Oh, the travel router trick. As a techie with too many devices, plus family, you use the travel router to buy the Internet package and then everyone else associates to the travel router and you don’t have to pay for Internet access six different times.
Why do people comment on HN? Different strokes for different folks.
But basically you get to see a bunch of destinations while all your travel is organized for you, you never have to switch rooms and constantly pack/unpack, and the actual travel part is infinitely more comfortable.
A room and sundeck and pool beats a plane seat or train seat any day.
I'm not into cruises myself, but the appeal seems pretty understandable in terms of convenience.
Downside is you don’t see that much - you get 4-6 hours each day in some city and are offered incredibly expensive day tours (kinda worth it because you have so little time).
I doubt this is a legitimate question, but I'll bite: It is cheap.
Go price out hotels and food in any major destination for one week. Now go price out a cruise for one week which also includes entertainment and a travel component. Somehow, the cruise is CHEAPER and offers more.
People who are older or with limited mobility find it far easier to get see multiple destinations without having to unpack/pack, navigate difficult airports, etc. I have been on a few, and while I’m not the biggest fan, they’re not terrible if you are traveling with folks who have mobility issues. I would not go on a cruise after COVID, though.
They’re also far less expensive than many other vacations, especially if you have kids and are considering Disney stuff.
The amount of public WiFi's (including in-flight ones) I've bypassed by running a vpn server on udp port 53 is honestly insane. Sadly, this is becoming less commonplace many captive portals don't allow any egress at all aside from the captive portal's IP - but alas - still impressive how many are susceptible. It also bypasses traffic shaping (speed limiting) on most networks that are publicly accessible even if they do require some kind of authorization to enable external accessibility.
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
The networks where you can pay through the captive portal have to temporarily allow all traffic to load their payment widget and provide 3D-Secure (they don't know the domain your bank uses for that, so they have to allow all). Those can generally be bypassed by initiating the payment flow over and over again.
Some implementations of 3d secure load in an iframe, and the containing app waits for a postMessage from inside the iFrame to confirm that 3d secure has completed successfully
If you can load your own content into the iframe, and can figure out what the containing page web app is expecting, you can send window.parent.postMessage() and bypass 3dsecure
Yea, I run wireguard & OpenVPN on port53 (different VPS) just in case it works. Unfortunately my experience with the "pay to use" WiFi so far has been they validate that port 53 is valid DNS traffic, and often don't allow arbitrary resolvers (e.g. `dig example.com @1.1.1.1` will not work)
You can use iodine and do a delegation from a real domain: It encodes packets in subdomains of your domain (and decodes them with a special DNS server). It is not fast.
I like to use SNI with e.g. pagead2.googlesyndication.com and www.googletagmanager.com because a lot of captive portals put ads on them, and I it on a google cloud instance since they own the IP.
TCP would be too wasteful - Whatsapp already has retransmissions/etc. You'd want to proxy at a higher layer such as HTTP and just relay HTTP messages (or ideally QUIC traffic so that you take advantage of header reuse/compression, etc - but somehow disable retransmissions since you're already on a reliable link).
I think that's essentially what my HTTPS proxy does; except rather than actually being over WhatsApp (i.e. using WA messages or w/ever), the SNI tricks their authorization into thinking I'm using WA, while I am connecting to my proxy.
Just a heads up before you attempt something like this. When on a plane, you may be subject to laws you don’t know or understand. In the US this could be considered tampering with the aircraft electronic systems and potentially send you to jail for many years. So if you don’t want to find out perhaps pay the $30 or whatever it is for Internet access.
How? Unless I'm misunderstanding the word, "tampering" implies "making alterations to", and no aircraft systems are altered in any way - they are exactly as they were, doing exactly as they're programmed. (Ab)using the difference between implied programming and de-facto programming could be unauthorized access, but I don't see how that could possibly constitute tampering.
Not that I disagree with your overall point, just the tampering bit strikes me as particularly odd.
You may be right but it’s not up to you to determine if you are in violation of a federal law. If there’s a non-zero chance you can compromise the safety of the flight that’s all a prosecutor would need to charge you. Yes the possibilities of that happening are remote but also non-zero. So all I’m saying is make sure you calculate the risk and decide if saving $30 it’s worth a tiny possibility of a legal mess or even being banned from ever flying in that airline again. I’m risk averse for this kind of stuff so I would pay for internet access.
One surely can be charged with anything. What I'm trying to say is that tampering or compromising safety of the flight are IMHO highly improbable charges that are very unlikely to appear, and even less likely to stick. Hell, I strongly suspect airline is going to defend the hacker in this scenario, because they absolutely wouldn't want anyone (especially FAA) to ever think their firewall bug can affect flight safety.
I think it's well-known that entertainment systems have to be isolated from main systems of the aircraft. I'm not an expert, but I know that it was the case that IFEs weren't safe, plane(s) went down because of that, so we no longer do that.
All this said, I totally agree with you that there is a non-negligible chance that abusing the network policies could lead to some charges, possibly even criminal charges. Or, at the very least, lead to some unpleasantness that surely isn't worth 30 bucks. Just not the charges you're mentioning.
I interviewed for a cybersecurity position with BA a little while back, it was a bit odd in general. I mentioned a few issues I thought were serious holes on their website, equivalent to the breach they ended up being fined for.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
BA was the one who got pwned with a card skimmer script on their checkout page, so this tracks.
On the other hand, in-flight Wi-Fi "security" and actual company property security don't have anything to do with it. The in-flight Wi-Fi isn't protecting anything, it's just there as an annoyance to get a few extra bucks similarly to catering (and just like the latter, typically outsourced to a third-party which just allows them to white-label it).
Starlink-based ones have enough bandwidth for the whole plane to have workable bandwidth (just rate-limit based on client so no single heavy user hogs the entire bandwidth).
There's also an European one whose name currently escapes me which uses a custom flavor of LTE and special ground stations that also happily provides hundreds of mbps.
Capacity is primarily an issue on the legacy BGAN-based ones where you have a handful of mbps for the entire plane.
> They said a pentest would find them if they were important.
Is it just me, or are pentests about as useless as a UK home survey? Like, they're not going to move the furniture to look for issues.
I've experienced many companies who think due diligence is done by paying a 3rd party company to do the annual pentest. Meanwhile, the eng that actually work on the product, and know about potential issues, can't get leadership buy-in to invest in security.
They're not all bad. We're selling our house and the buyer's surveyor was incredibly thorough - he picked up on some small issues I'd never even noticed even though they were right in front of my eyes the last few years (nothing serious though). He was so good that I'd definitely use him for any future moves.
Pentests can be brilliant if you know the scope you want to have tested. The additional benefit being the business is more likely to pay (engineering time!) for fixes of the issues reported.
> Something along the lines of arbitrary subdomains which represent the request payload, and a custom nameserver that returns responses via the TXT record or something. Anyway…).
I did something similar ~12 years ago, albeit it was just http(a) over UDP tunneling, and not DNS specifically.
I had to spend 8 hours in Stansted airport, and I managed to setup the tunnel while in the time limit of the free WiFi (I think it was 30'). It felt good, haha.
I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.
Funnily enough, I'm on a British Airways flight right this moment. I'm only using a basic Wireguard tunnel after enabling the free messaging plan. I get the sense they didn't design the firewall to block everything comprehensively.
As someone who thoroughly enjoys being forced to be offline when flying, as an escape from the world for a few hours, I hope your efforts do not lead to free wifi for all!
You've got free will right? Nobody forces you to be online, be it on a plane or on your sofa. Even if those around you are using the internet on a plane it's of zero consequence to you.
Not all of us are heroin/wifi addicts. But when I am on a 16-hour flight with nothing to do, I can use the wifi do some work. I actually enjoy my work.
Nice! I created tuningfork [1] a couple of months ago that proxies traffic through another node for the configured upstream. I wanted to understand networks, so rolled my own thing. And I wanted to bypass age verification laws in UK :)
I also recently flew on BA and bypassed the free WiFi restrictions just by using a VPN. Not sure why that worked, but with Mullvad I was able to browse Hacker News in the air. Didn't need anything more advanced than that!
I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible.
I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI.
Appliances like Allot or Sandvine are in this market since more than a decade.
What's up with the dates? The HN page shown in the screenshot is from 18-05-2025 around 1pm GMT, while the curl commands show a date of 09-05-2025. The story sounded like it was a single journey from EDI to HKG via LHR.
Sorry if its a bit unclear; the first part was HKG -> LHR when I kinda discovered it (9th May), and then the HTTPS proxy test was my flight back LHR -> HKG (18th May)
If you use Lyrebird not only can you obfuscate your traffic behind various transports, it does domain fronting by default. Don't have to jump through this many hoops.
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
Thanks. That README is a bit out of date from when the project just implemented a single transport, this is more accurate[1]. It's what's used in the latest Tor Browser.
A TOR dev gave a recent talk at DEFCON [1], and described this as one of the ways that attempts at nationwide blocks to the TOR network are implemented. I'm not sure that it's exactly the same as domain fronting, since that might involve a CDN, but the technique is very close.
There may not be any "free messaging" or similar offers is my guess. In fact using ECH it is already possible to spoof the SNI but make a real TLS handshake to the underlying domain; you can try it on my test website[0] with wireshark open on the side (if your browser supports ECH)
Except if the messengers happily collude with you, which Facebook does - they have a website (can't remember the link) where network providers can get IP ranges and other information to enable "zero rating" for Facebook's properties.
Yep; on my way to LHR I was intrigued by their "free messaging" and wanted to poke around, with the SNI hypothesis I did the actual HTTPS proxy setup on a VPS while in the UK, so I could actually try and proxy arbitrary browser traffic on the way back
At some point the cost of the meter exceeds the value of the product being metered. This happened very soon after hotels really jacked up telephone bills. Somehow they decided not to stop being silly, simply to bill the ignorant or lazy and airlines look to be cut from the same DNA: we're maybe going to wind up with viable cellular comms inside aircraft that bypasses the airline.
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
I totally believe pirating is not stealing, but this really is. Tech people are probably the highest paid profession now, you still dont want to pay for your wifi?
This person just shared (for free) tons of experience, knowledge and insight into thinking/problem-solving process, for others to enjoy and learn from - and your only comment is attack on them for "stealing" somehow, by not sending e.g. 300 WA messages, but instead kilobytes of HN content?
How much would you calculate was stolen this way? Based on which factors?
As a side note, those pesky "tech people" are most certainly not THE most paid profession, now or ever.
I wouldn’t be upset to see a disclaimer that this was done as a proof of a technical concept and not to save a buck.
For readers, I totally understand trying at once but it would be odd if e.g. someone I know who makes six figures told me they exploited this on every leg of their journey.
We wouldn’t want to fill our water cups with soda even if it only costs the restaurant a penny.
So this, in your opinion, causes more damage than violating someone's copyrights? This is quite literally just using a resource than would otherwise be wasted. Of course, the electricity use is lower if less people use this network, but this is negligible.
>just using a resource than would otherwise be wasted
I take care with this line of reasoning. It could be extended to a college class with an extra seat at the back, a chairlift at a ski resort on a slow day, that kind of thing. Using either can lead to theft of services charges.
Oh, it absolutely can lead to charges (same as piracy referred to in the comment I responded to), which doesn't change the fact that it is using a resource that would otherwise be wasted. A college class is a perfect example. Not every illegal act is unethical.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
[1] https://github.com/XTLS/Xray-core
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.
Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.
I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)
They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)
If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.
Don't forget to price in the costs of installing and maintaining a WiFi network that works consistently in a metal ship whose interior is composed from prefab metal modules. (Hint: every cabin, every space, has one or more APs).
I haven't done the math, and I'm sure they profit on the offering, but I doubt it's as egregious as these replies make it sound.
(I thought about this a bit when I was on a cruise that offered Starlink this past summer.)
Edit: also don't forget that everyone gets free WiFi, it's just that internet access is restricted for guests who don't pay. So it does need to support the ship's full complement and passengers.
Starlink hardware (aka community hub) is $1.25M. Actual bandwidth cost is 75k per gbps per month.
I never figured out a way to route internet on my phone through my laptop. But it was probably for the best. It was lovely spending a few weeks with no internet connection on my phone, in arms reach away at all times.
But basically you get to see a bunch of destinations while all your travel is organized for you, you never have to switch rooms and constantly pack/unpack, and the actual travel part is infinitely more comfortable.
A room and sundeck and pool beats a plane seat or train seat any day.
I'm not into cruises myself, but the appeal seems pretty understandable in terms of convenience.
Go price out hotels and food in any major destination for one week. Now go price out a cruise for one week which also includes entertainment and a travel component. Somehow, the cruise is CHEAPER and offers more.
That's it. That's the whole answer.
They’re also far less expensive than many other vacations, especially if you have kids and are considering Disney stuff.
Still a human Petri dish.
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
If you can load your own content into the iframe, and can figure out what the containing page web app is expecting, you can send window.parent.postMessage() and bypass 3dsecure
I like to use SNI with e.g. pagead2.googlesyndication.com and www.googletagmanager.com because a lot of captive portals put ads on them, and I it on a google cloud instance since they own the IP.
My openvpn config was a long list of commonly accepted ports on either tcp or udp.
Startup would take a while but the number of times it worked was amazing.
If one could create a TCP-over-WhatsApp VPN that would be fantastic.
I'd rather have a straightforward TCP-over-WhatsApp proxy than some hacky thing that only works for HTTP, has to peek inside your TLS sessions, etc.
How? Unless I'm misunderstanding the word, "tampering" implies "making alterations to", and no aircraft systems are altered in any way - they are exactly as they were, doing exactly as they're programmed. (Ab)using the difference between implied programming and de-facto programming could be unauthorized access, but I don't see how that could possibly constitute tampering.
Not that I disagree with your overall point, just the tampering bit strikes me as particularly odd.
I think it's well-known that entertainment systems have to be isolated from main systems of the aircraft. I'm not an expert, but I know that it was the case that IFEs weren't safe, plane(s) went down because of that, so we no longer do that.
All this said, I totally agree with you that there is a non-negligible chance that abusing the network policies could lead to some charges, possibly even criminal charges. Or, at the very least, lead to some unpleasantness that surely isn't worth 30 bucks. Just not the charges you're mentioning.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
On the other hand, in-flight Wi-Fi "security" and actual company property security don't have anything to do with it. The in-flight Wi-Fi isn't protecting anything, it's just there as an annoyance to get a few extra bucks similarly to catering (and just like the latter, typically outsourced to a third-party which just allows them to white-label it).
There's also an European one whose name currently escapes me which uses a custom flavor of LTE and special ground stations that also happily provides hundreds of mbps.
Capacity is primarily an issue on the legacy BGAN-based ones where you have a handful of mbps for the entire plane.
Sorry, pet peeve: do you mean MB/s, Mb/s, or something else? Probably not the milli-bits per second (mbps) that you wrote.
Is it just me, or are pentests about as useless as a UK home survey? Like, they're not going to move the furniture to look for issues.
I've experienced many companies who think due diligence is done by paying a 3rd party company to do the annual pentest. Meanwhile, the eng that actually work on the product, and know about potential issues, can't get leadership buy-in to invest in security.
Should it be your only security strategy? No. But it can help in combination with other solutions.
This is iodine. https://github.com/yarrick/iodine
I had to spend 8 hours in Stansted airport, and I managed to setup the tunnel while in the time limit of the free WiFi (I think it was 30'). It felt good, haha.
dig @ch.at "your question" TXT
It is admittedly quite slow/intermittent though; I wouldn't be surprised if that's the reason it didn't look like it was working for you.
[1] - https://github.com/mutn3ja/tuningfork
https://github.com/StreisandEffect/streisand
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
…in case anyone else needed a link.
[1] https://support.torproject.org/tbb/lyrebird/
[1] https://youtu.be/djM70O0SnsY
I find it pathetic that vendors and ISPs are snooping SNI headers to block things, looking at you, UK.
Also, I wonder what will happen if those instant messaging apps move to Encrypted SNI (ECH), will they just not work, or is there fallback?
[0] https://rfc5746.mywaifu.best:4443/
And if they allow large IP ranges, one could try to spin up a virtual machine on the same cloud provider as the messaging platform.
Except if the messengers happily collude with you, which Facebook does - they have a website (can't remember the link) where network providers can get IP ranges and other information to enable "zero rating" for Facebook's properties.
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
How much would you calculate was stolen this way? Based on which factors?
As a side note, those pesky "tech people" are most certainly not THE most paid profession, now or ever.
For readers, I totally understand trying at once but it would be odd if e.g. someone I know who makes six figures told me they exploited this on every leg of their journey.
We wouldn’t want to fill our water cups with soda even if it only costs the restaurant a penny.
I take care with this line of reasoning. It could be extended to a college class with an extra seat at the back, a chairlift at a ski resort on a slow day, that kind of thing. Using either can lead to theft of services charges.