He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.
Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.
I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)
They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)
If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.
Don't forget to price in the costs of installing and maintaining a WiFi network that works consistently in a metal ship whose interior is composed from prefab metal modules. (Hint: every cabin, every space, has one or more APs).
I haven't done the math, and I'm sure they profit on the offering, but I doubt it's as egregious as these replies make it sound.
(I thought about this a bit when I was on a cruise that offered Starlink this past summer.)
Edit: also don't forget that everyone gets free WiFi, it's just that internet access is restricted for guests who don't pay. So it does need to support the ship's full complement and passengers.
I’m sure servicing thousands of people via starlink is expensive. But the cost is amortised over the number of people using it. Thousands of users should make internet access cheaper, not make it more expensive.
They also don’t provide “normal” internet speeds. I was usually getting about 20kBps - which is painfully slow. I tried to have a zoom call on the one day I paid for internet, and every minute or two we would get a latency spike of 10+ seconds. Those latency spikes went away on other days, but the speed never improved much.
The ship I was on is apparently quite old by modern standards. Maybe they don’t have enough starlink satellites installed or something. (It was definitely starlink). But if that’s the case, it makes the price they’re asking all the more outrageous. For $50/day I could probably bring my own starlink satellite on board and it would come out cheaper.
I have never used Starlink otherwise and, frankly, expected much worse service - especially on a cruise ship.
I'd definitely be unhappy paying $50/day for what you described. But I paid less (there was a discount for buying a package ahead of time for my family's devices) and got better service it sounds like.
Starlink hardware (aka community hub) is $1.25M. Actual bandwidth cost is 75k per gbps per month.
I never figured out a way to route internet on my phone through my laptop. But it was probably for the best. It was lovely spending a few weeks with no internet connection on my phone, in arms reach away at all times.
Almost all of these special pricing/zero-rating schemes will include platform push in the zero rated traffic. Can't use anything without it, and most of the platforms have public pages describing how to identify their traffic, because there's lots of networks that want to allow it.
But basically you get to see a bunch of destinations while all your travel is organized for you, you never have to switch rooms and constantly pack/unpack, and the actual travel part is infinitely more comfortable.
A room and sundeck and pool beats a plane seat or train seat any day.
I'm not into cruises myself, but the appeal seems pretty understandable in terms of convenience.
They’re also far less expensive than many other vacations, especially if you have kids and are considering Disney stuff.
Still a human Petri dish.
Go price out hotels and food in any major destination for one week. Now go price out a cruise for one week which also includes entertainment and a travel component. Somehow, the cruise is CHEAPER and offers more.
That's it. That's the whole answer.
Long hours and low pay - Some workers face shifts of more than 12 hours a day, seven days a week, often without overtime pay. Wages can be very low, sometimes below $20 per day, though tips can supplement income. Workers often live in small, shared cabins with limited personal space. Ships often registered in countries with lax regulations. No pay between workers contracts
These are ONLY some of the reasons ....
There is a level of convenience that is hard to get elsewhere.
I went on a Disney cruise 2 summers ago. All restaurants were in walking distance. All of deck 5 was dedicated to child care. They took you straight to excursions. Family was close, but not too close.
There were some downsides, too, but let's not focus on those. I think the "king" reason we went is because the grandparents were paying and they wanted everyone to be "there" and not leaving. I think the main reason we aren't going again is cost.
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
If you can load your own content into the iframe, and can figure out what the containing page web app is expecting, you can send window.parent.postMessage() and bypass 3dsecure
My openvpn config was a long list of commonly accepted ports on either tcp or udp.
Startup would take a while but the number of times it worked was amazing.
I like to use SNI with e.g. pagead2.googlesyndication.com and www.googletagmanager.com because a lot of captive portals put ads on them, and I it on a google cloud instance since they own the IP.
If one could create a TCP-over-WhatsApp VPN that would be fantastic.
I'd rather have a straightforward TCP-over-WhatsApp proxy than some hacky thing that only works for HTTP, has to peek inside your TLS sessions, etc.
This is iodine. https://github.com/yarrick/iodine
I had to spend 8 hours in Stansted airport, and I managed to setup the tunnel while in the time limit of the free WiFi (I think it was 30'). It felt good, haha.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
On the other hand, in-flight Wi-Fi "security" and actual company property security don't have anything to do with it. The in-flight Wi-Fi isn't protecting anything, it's just there as an annoyance to get a few extra bucks similarly to catering (and just like the latter, typically outsourced to a third-party which just allows them to white-label it).
There's also an European one whose name currently escapes me which uses a custom flavor of LTE and special ground stations that also happily provides hundreds of mbps.
Capacity is primarily an issue on the legacy BGAN-based ones where you have a handful of mbps for the entire plane.
Sorry, pet peeve: do you mean MB/s, Mb/s, or something else? Probably not the milli-bits per second (mbps) that you wrote.
Is it just me, or are pentests about as useless as a UK home survey? Like, they're not going to move the furniture to look for issues.
I've experienced many companies who think due diligence is done by paying a 3rd party company to do the annual pentest. Meanwhile, the eng that actually work on the product, and know about potential issues, can't get leadership buy-in to invest in security.
Should it be your only security strategy? No. But it can help in combination with other solutions.
Hey it confirms the loft exists at least, by virtue of the surveyor sticking their head through the hatch
Is there a more cushty job in existence??
It is admittedly quite slow/intermittent though; I wouldn't be surprised if that's the reason it didn't look like it was working for you.
How? Unless I'm misunderstanding the word, "tampering" implies "making alterations to", and no aircraft systems are altered in any way - they are exactly as they were, doing exactly as they're programmed. (Ab)using the difference between implied programming and de-facto programming could be unauthorized access, but I don't see how that could possibly constitute tampering.
Not that I disagree with your overall point, just the tampering bit strikes me as particularly odd.
I think it's well-known that entertainment systems have to be isolated from main systems of the aircraft. I'm not an expert, but I know that it was the case that IFEs weren't safe, plane(s) went down because of that, so we no longer do that.
All this said, I totally agree with you that there is a non-negligible chance that abusing the network policies could lead to some charges, possibly even criminal charges. Or, at the very least, lead to some unpleasantness that surely isn't worth 30 bucks. Just not the charges you're mentioning.
Every thread on this topic has some hackers making bad assumptions about how law works based on naive definitions. You've got to understand that law doesn't operate on binary distinctions and that interpretation is an extremely moveable feast.
To give you some context:
Before writing that comment, I looked up a dictionary entry for "tampering", to be sure my knowledge of the ordinary meaning of the word is correct.
Then I looked up and did a quick cursory check on a bunch of laws that included the word, focusing on (but not limiting to) those that mentioned tampering with an aircraft or machinery, or tampering with communications technology of some sort.
During that check I found that everything I found either explicitly mentioned or implied making changes of some sort: alteration, removal, damage, concealment, obstruction, etc.. So while I haven't found an explicit legal definition I hoped for, I think it's fairly reasonable to assume that legal concept of tampering would generally conform to the dictionary definition in this regard.
And thus down the thread I made a suggestion that it's unlikely (no binary here) to apply to the situation. So I asked "how?", to see if I'm missing something, explaining that I personally don't see how "tampering" is applicable.
Yet, your comment suggests me that I wrote something wrong. While I recognize the "vehicle" example (that I happen to know about) is not entirely dissimilar to the "tampering" here, I'm still missing your point.
In practice - yes, that could happen I guess. I lived in Russia, I've seen a lot worse "creativity" from the courts.
Ideally, though, such "creative legalese" shouldn't be a thing, as it ultimately does more harm than good.
dig @ch.at "your question" TXT
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
…in case anyone else needed a link.
I find it pathetic that vendors and ISPs are snooping SNI headers to block things, looking at you, UK.
Also, I wonder what will happen if those instant messaging apps move to Encrypted SNI (ECH), will they just not work, or is there fallback?
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
And if they allow large IP ranges, one could try to spin up a virtual machine on the same cloud provider as the messaging platform.
Except if the messengers happily collude with you, which Facebook does - they have a website (can't remember the link) where network providers can get IP ranges and other information to enable "zero rating" for Facebook's properties.
How much would you calculate was stolen this way? Based on which factors?
As a side note, those pesky "tech people" are most certainly not THE most paid profession, now or ever.
For readers, I totally understand trying at once but it would be odd if e.g. someone I know who makes six figures told me they exploited this on every leg of their journey.
We wouldn’t want to fill our water cups with soda even if it only costs the restaurant a penny.
I take care with this line of reasoning. It could be extended to a college class with an extra seat at the back, a chairlift at a ski resort on a slow day, that kind of thing. Using either can lead to theft of services charges.