This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).

It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.

[1] https://github.com/XTLS/Xray-core

> I have a friend who did similar tunneling a while ago. It also works on cruise ships.

Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.

I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)

They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)

If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.

The modern cruise ship techie Internet solution is a starlink mini. The cost of the dish plus service and a middle finger to the cruise ship company that your family dragged you on is worth more than the number of dollars it cost to go on the cruise. (The alternative, having a healthy family dynamic, is a whole other can of worms.)

The networks where you can pay through the captive portal have to temporarily allow all traffic to load their payment widget and provide 3D-Secure (they don't know the domain your bank uses for that, so they have to allow all). Those can generally be bypassed by initiating the payment flow over and over again.

I had 8 IPs in a hetzner server years ago. One IP had an iptables rule to accept openvpn on any port.

My openvpn config was a long list of commonly accepted ports on either tcp or udp.

Startup would take a while but the number of times it worked was amazing.

Yea, I run wireguard & OpenVPN on port53 (different VPS) just in case it works. Unfortunately my experience with the "pay to use" WiFi so far has been they validate that port 53 is valid DNS traffic, and often don't allow arbitrary resolvers (e.g. `dig example.com @1.1.1.1` will not work)

There are also airline wifi these days that allow "free messaging" i.e. WhatsApp and Facebook Messenger traffic only.

If one could create a TCP-over-WhatsApp VPN that would be fantastic.

I did something similar ~12 years ago, albeit it was just http(a) over UDP tunneling, and not DNS specifically.

I had to spend 8 hours in Stansted airport, and I managed to setup the tunnel while in the time limit of the free WiFi (I think it was 30'). It felt good, haha.

BA was the one who got pwned with a card skimmer script on their checkout page, so this tracks.

On the other hand, in-flight Wi-Fi "security" and actual company property security don't have anything to do with it. The in-flight Wi-Fi isn't protecting anything, it's just there as an annoyance to get a few extra bucks similarly to catering (and just like the latter, typically outsourced to a third-party which just allows them to white-label it).

> They said a pentest would find them if they were important.

Is it just me, or are pentests about as useless as a UK home survey? Like, they're not going to move the furniture to look for issues.

I've experienced many companies who think due diligence is done by paying a 3rd party company to do the annual pentest. Meanwhile, the eng that actually work on the product, and know about potential issues, can't get leadership buy-in to invest in security.

Maybe their job interviews are their pentest.

TLS might encrypt the contents but it doesn’t encrypt the destination or source IP (how could it?)

Before SNI every https site needed a dedicated IP address. As https got more popular SNI was introduced

You've got free will right? Nobody forces you to be online, be it on a plane or on your sofa. Even if those around you are using the internet on a plane it's of zero consequence to you.

Just don’t do all this work to get free wifi then lol

Do you have a link to the story?

Just bare wireguard on 51820? I think I had tried that but no luck; but I don't remember for sure.

Sorry if its a bit unclear; the first part was HKG -> LHR when I kinda discovered it (9th May), and then the HTTPS proxy test was my flight back LHR -> HKG (18th May)

https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...

…in case anyone else needed a link.

A TOR dev gave a recent talk at DEFCON [1], and described this as one of the ways that attempts at nationwide blocks to the TOR network are implemented. I'm not sure that it's exactly the same as domain fronting, since that might involve a CDN, but the technique is very close.

[1] https://youtu.be/djM70O0SnsY

There may not be any "free messaging" or similar offers is my guess. In fact using ECH it is already possible to spoof the SNI but make a real TLS handshake to the underlying domain; you can try it on my test website[0] with wireshark open on the side (if your browser supports ECH)

[0] https://rfc5746.mywaifu.best:4443/

Almost impossible task. The public IPs change every time. Usually they are on CDN that have a very large IP range.

And if they allow large IP ranges, one could try to spin up a virtual machine on the same cloud provider as the messaging platform.

Half of it. He also describes some preparations he did while in the destination and a final test on a flight back.

He wrote at the end he hoped his idea and all preparations will work, because he wouldn't be able to repeat the steps while in-flight.

I am insanely productive on airplanes, I'm sure others are the same.

iodine is just easier in general, but since many airlines use the same vendor - probably the same.

This person just shared (for free) tons of experience, knowledge and insight into thinking/problem-solving process, for others to enjoy and learn from - and your only comment is attack on them for "stealing" somehow, by not sending e.g. 300 WA messages, but instead kilobytes of HN content?

How much would you calculate was stolen this way? Based on which factors?

As a side note, those pesky "tech people" are most certainly not THE most paid profession, now or ever.

So this, in your opinion, causes more damage than violating someone's copyrights? This is quite literally just using a resource than would otherwise be wasted. Of course, the electricity use is lower if less people use this network, but this is negligible.