I have a friend who did similar tunneling a while ago. It also works on cruise ships.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
Someone was using Xray, proxying to my employer, and it was detected in our attack surface management tool (Censys). I had some quite stressful few minutes before I realised what was going on, "how the hell have our TLS cert leaked to some random VPS hoster in Vietnam!?".
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.
> I have a friend who did similar tunneling a while ago. It also works on cruise ships.
Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.
I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)
They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)
If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.
What does a Starlink installation cost (upfront and ongoing) to service 3000-5000 daily users at expected speeds?
Don't forget to price in the costs of installing and maintaining a WiFi network that works consistently in a metal ship whose interior is composed from prefab metal modules. (Hint: every cabin, every space, has one or more APs).
I haven't done the math, and I'm sure they profit on the offering, but I doubt it's as egregious as these replies make it sound.
(I thought about this a bit when I was on a cruise that offered Starlink this past summer.)
Edit: also don't forget that everyone gets free WiFi, it's just that internet access is restricted for guests who don't pay. So it does need to support the ship's full complement and passengers.
Presumably they maintain all those wifi access points regardless of whether or not anyone buys the wifi package. That lets the cruise app work. And the staff use wifi too.
I’m sure servicing thousands of people via starlink is expensive. But the cost is amortised over the number of people using it. Thousands of users should make internet access cheaper, not make it more expensive.
They also don’t provide “normal” internet speeds. I was usually getting about 20kBps - which is painfully slow. I tried to have a zoom call on the one day I paid for internet, and every minute or two we would get a latency spike of 10+ seconds. Those latency spikes went away on other days, but the speed never improved much.
The ship I was on is apparently quite old by modern standards. Maybe they don’t have enough starlink satellites installed or something. (It was definitely starlink). But if that’s the case, it makes the price they’re asking all the more outrageous. For $50/day I could probably bring my own starlink satellite on board and it would come out cheaper.
IIRC the cost of Starlink for ships is actually very high. Starts at $5k per month for a commercial vessel I think. Can’t imagine what it is for a passenger ship, but Musk is making his money to be sure.
Ah yeah that makes sense. They have messaging built into their app so you can message friends and family while onboard the ship. I didn't use it - but of course, if they block APNS, messages wouldn't be able to show up on the lock screen.
I bet there some IT team at the cruise line that leaves these back doors in their systems deliberately as an “on-board activity” for their hacker customers.
Hah! Well it worked for me! It kept me entertained for the better part of a day.
I never figured out a way to route internet on my phone through my laptop. But it was probably for the best. It was lovely spending a few weeks with no internet connection on my phone, in arms reach away at all times.
The modern cruise ship techie Internet solution is a starlink mini. The cost of the dish plus service and a middle finger to the cruise ship company that your family dragged you on is worth more than the number of dollars it cost to go on the cruise. (The alternative, having a healthy family dynamic, is a whole other can of worms.)
Oh, the travel router trick. As a techie with too many devices, plus family, you use the travel router to buy the Internet package and then everyone else associates to the travel router and you don’t have to pay for Internet access six different times.
Why do people comment on HN? Different strokes for different folks.
But basically you get to see a bunch of destinations while all your travel is organized for you, you never have to switch rooms and constantly pack/unpack, and the actual travel part is infinitely more comfortable.
A room and sundeck and pool beats a plane seat or train seat any day.
I'm not into cruises myself, but the appeal seems pretty understandable in terms of convenience.
Downside is you don’t see that much - you get 4-6 hours each day in some city and are offered incredibly expensive day tours (kinda worth it because you have so little time).
I doubt this is a legitimate question, but I'll bite: It is cheap.
Go price out hotels and food in any major destination for one week. Now go price out a cruise for one week which also includes entertainment and a travel component. Somehow, the cruise is CHEAPER and offers more.
Long hours and low pay - Some workers face shifts of more than 12 hours a day, seven days a week, often without overtime pay.
Wages can be very low, sometimes below $20 per day, though tips can supplement income.
Workers often live in small, shared cabins with limited personal space.
Ships often registered in countries with lax regulations.
No pay between workers contracts
People who are older or with limited mobility find it far easier to get see multiple destinations without having to unpack/pack, navigate difficult airports, etc. I have been on a few, and while I’m not the biggest fan, they’re not terrible if you are traveling with folks who have mobility issues. I would not go on a cruise after COVID, though.
They’re also far less expensive than many other vacations, especially if you have kids and are considering Disney stuff.
The amount of public WiFi's (including in-flight ones) I've bypassed by running a vpn server on udp port 53 is honestly insane. Sadly, this is becoming less commonplace many captive portals don't allow any egress at all aside from the captive portal's IP - but alas - still impressive how many are susceptible. It also bypasses traffic shaping (speed limiting) on most networks that are publicly accessible even if they do require some kind of authorization to enable external accessibility.
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
The networks where you can pay through the captive portal have to temporarily allow all traffic to load their payment widget and provide 3D-Secure (they don't know the domain your bank uses for that, so they have to allow all). Those can generally be bypassed by initiating the payment flow over and over again.
Some implementations of 3d secure load in an iframe, and the containing app waits for a postMessage from inside the iFrame to confirm that 3d secure has completed successfully
If you can load your own content into the iframe, and can figure out what the containing page web app is expecting, you can send window.parent.postMessage() and bypass 3dsecure
Yea, I run wireguard & OpenVPN on port53 (different VPS) just in case it works. Unfortunately my experience with the "pay to use" WiFi so far has been they validate that port 53 is valid DNS traffic, and often don't allow arbitrary resolvers (e.g. `dig example.com @1.1.1.1` will not work)
You can use iodine and do a delegation from a real domain: It encodes packets in subdomains of your domain (and decodes them with a special DNS server). It is not fast.
I like to use SNI with e.g. pagead2.googlesyndication.com and www.googletagmanager.com because a lot of captive portals put ads on them, and I it on a google cloud instance since they own the IP.
TCP would be too wasteful - Whatsapp already has retransmissions/etc. You'd want to proxy at a higher layer such as HTTP and just relay HTTP messages (or ideally QUIC traffic so that you take advantage of header reuse/compression, etc - but somehow disable retransmissions since you're already on a reliable link).
I think that's essentially what my HTTPS proxy does; except rather than actually being over WhatsApp (i.e. using WA messages or w/ever), the SNI tricks their authorization into thinking I'm using WA, while I am connecting to my proxy.
Just a heads up before you attempt something like this. When on a plane, you may be subject to laws you don’t know or understand. In the US this could be considered tampering with the aircraft electronic systems and potentially send you to jail for many years. So if you don’t want to find out perhaps pay the $30 or whatever it is for Internet access.
How? Unless I'm misunderstanding the word, "tampering" implies "making alterations to", and no aircraft systems are altered in any way - they are exactly as they were, doing exactly as they're programmed. (Ab)using the difference between implied programming and de-facto programming could be unauthorized access, but I don't see how that could possibly constitute tampering.
Not that I disagree with your overall point, just the tampering bit strikes me as particularly odd.
You may be right but it’s not up to you to determine if you are in violation of a federal law. If there’s a non-zero chance you can compromise the safety of the flight that’s all a prosecutor would need to charge you. Yes the possibilities of that happening are remote but also non-zero. So all I’m saying is make sure you calculate the risk and decide if saving $30 it’s worth a tiny possibility of a legal mess or even being banned from ever flying in that airline again. I’m risk averse for this kind of stuff so I would pay for internet access.
One surely can be charged with anything. What I'm trying to say is that tampering or compromising safety of the flight are IMHO highly improbable charges that are very unlikely to appear, and even less likely to stick. Hell, I strongly suspect airline is going to defend the hacker in this scenario, because they absolutely wouldn't want anyone (especially FAA) to ever think their firewall bug can affect flight safety.
I think it's well-known that entertainment systems have to be isolated from main systems of the aircraft. I'm not an expert, but I know that it was the case that IFEs weren't safe, plane(s) went down because of that, so we no longer do that.
All this said, I totally agree with you that there is a non-negligible chance that abusing the network policies could lead to some charges, possibly even criminal charges. Or, at the very least, lead to some unpleasantness that surely isn't worth 30 bucks. Just not the charges you're mentioning.
I interviewed for a cybersecurity position with BA a little while back, it was a bit odd in general. I mentioned a few issues I thought were serious holes on their website, equivalent to the breach they ended up being fined for.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
BA was the one who got pwned with a card skimmer script on their checkout page, so this tracks.
On the other hand, in-flight Wi-Fi "security" and actual company property security don't have anything to do with it. The in-flight Wi-Fi isn't protecting anything, it's just there as an annoyance to get a few extra bucks similarly to catering (and just like the latter, typically outsourced to a third-party which just allows them to white-label it).
Starlink-based ones have enough bandwidth for the whole plane to have workable bandwidth (just rate-limit based on client so no single heavy user hogs the entire bandwidth).
There's also an European one whose name currently escapes me which uses a custom flavor of LTE and special ground stations that also happily provides hundreds of mbps.
Capacity is primarily an issue on the legacy BGAN-based ones where you have a handful of mbps for the entire plane.
> They said a pentest would find them if they were important.
Is it just me, or are pentests about as useless as a UK home survey? Like, they're not going to move the furniture to look for issues.
I've experienced many companies who think due diligence is done by paying a 3rd party company to do the annual pentest. Meanwhile, the eng that actually work on the product, and know about potential issues, can't get leadership buy-in to invest in security.
They're not all bad. We're selling our house and the buyer's surveyor was incredibly thorough - he picked up on some small issues I'd never even noticed even though they were right in front of my eyes the last few years (nothing serious though). He was so good that I'd definitely use him for any future moves.
Pentests can be brilliant if you know the scope you want to have tested. The additional benefit being the business is more likely to pay (engineering time!) for fixes of the issues reported.
> Something along the lines of arbitrary subdomains which represent the request payload, and a custom nameserver that returns responses via the TXT record or something. Anyway…).
I did something similar ~12 years ago, albeit it was just http(a) over UDP tunneling, and not DNS specifically.
I had to spend 8 hours in Stansted airport, and I managed to setup the tunnel while in the time limit of the free WiFi (I think it was 30'). It felt good, haha.
As someone who thoroughly enjoys being forced to be offline when flying, as an escape from the world for a few hours, I hope your efforts do not lead to free wifi for all!
You've got free will right? Nobody forces you to be online, be it on a plane or on your sofa. Even if those around you are using the internet on a plane it's of zero consequence to you.
Not all of us are heroin/wifi addicts. But when I am on a 16-hour flight with nothing to do, I can use the wifi do some work. I actually enjoy my work.
I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.
SNI is used extensively by the Russian government for censorship. All DPI circumvention tools are based on mangling the ClientHello enough to confuse the DPI box but not enough for the destination server to notice anything.
Funnily enough, I'm on a British Airways flight right this moment. I'm only using a basic Wireguard tunnel after enabling the free messaging plan. I get the sense they didn't design the firewall to block everything comprehensively.
Nice! I created tuningfork [1] a couple of months ago that proxies traffic through another node for the configured upstream. I wanted to understand networks, so rolled my own thing. And I wanted to bypass age verification laws in UK :)
I also recently flew on BA and bypassed the free WiFi restrictions just by using a VPN. Not sure why that worked, but with Mullvad I was able to browse Hacker News in the air. Didn't need anything more advanced than that!
I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible.
I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI.
Appliances like Allot or Sandvine are in this market since more than a decade.
What's up with the dates? The HN page shown in the screenshot is from 18-05-2025 around 1pm GMT, while the curl commands show a date of 09-05-2025. The story sounded like it was a single journey from EDI to HKG via LHR.
Sorry if its a bit unclear; the first part was HKG -> LHR when I kinda discovered it (9th May), and then the HTTPS proxy test was my flight back LHR -> HKG (18th May)
If you use Lyrebird not only can you obfuscate your traffic behind various transports, it does domain fronting by default. Don't have to jump through this many hoops.
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
Thanks. That README is a bit out of date from when the project just implemented a single transport, this is more accurate[1]. It's what's used in the latest Tor Browser.
A TOR dev gave a recent talk at DEFCON [1], and described this as one of the ways that attempts at nationwide blocks to the TOR network are implemented. I'm not sure that it's exactly the same as domain fronting, since that might involve a CDN, but the technique is very close.
There may not be any "free messaging" or similar offers is my guess. In fact using ECH it is already possible to spoof the SNI but make a real TLS handshake to the underlying domain; you can try it on my test website[0] with wireshark open on the side (if your browser supports ECH)
Except if the messengers happily collude with you, which Facebook does - they have a website (can't remember the link) where network providers can get IP ranges and other information to enable "zero rating" for Facebook's properties.
Yep; on my way to LHR I was intrigued by their "free messaging" and wanted to poke around, with the SNI hypothesis I did the actual HTTPS proxy setup on a VPS while in the UK, so I could actually try and proxy arbitrary browser traffic on the way back
At some point the cost of the meter exceeds the value of the product being metered. This happened very soon after hotels really jacked up telephone bills. Somehow they decided not to stop being silly, simply to bill the ignorant or lazy and airlines look to be cut from the same DNA: we're maybe going to wind up with viable cellular comms inside aircraft that bypasses the airline.
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
I totally believe pirating is not stealing, but this really is. Tech people are probably the highest paid profession now, you still dont want to pay for your wifi?
This person just shared (for free) tons of experience, knowledge and insight into thinking/problem-solving process, for others to enjoy and learn from - and your only comment is attack on them for "stealing" somehow, by not sending e.g. 300 WA messages, but instead kilobytes of HN content?
How much would you calculate was stolen this way? Based on which factors?
As a side note, those pesky "tech people" are most certainly not THE most paid profession, now or ever.
I wouldn’t be upset to see a disclaimer that this was done as a proof of a technical concept and not to save a buck.
For readers, I totally understand trying at once but it would be odd if e.g. someone I know who makes six figures told me they exploited this on every leg of their journey.
We wouldn’t want to fill our water cups with soda even if it only costs the restaurant a penny.
So this, in your opinion, causes more damage than violating someone's copyrights? This is quite literally just using a resource than would otherwise be wasted. Of course, the electricity use is lower if less people use this network, but this is negligible.
>just using a resource than would otherwise be wasted
I take care with this line of reasoning. It could be extended to a college class with an extra seat at the back, a chairlift at a ski resort on a slow day, that kind of thing. Using either can lead to theft of services charges.
Oh, it absolutely can lead to charges (same as piracy referred to in the comment I responded to), which doesn't change the fact that it is using a resource that would otherwise be wasted. A college class is a perfect example. Not every illegal act is unethical.
I have a friend who did similar tunneling a while ago. It also works on cruise ships.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
[1] https://github.com/XTLS/Xray-core
Someone was using Xray, proxying to my employer, and it was detected in our attack surface management tool (Censys). I had some quite stressful few minutes before I realised what was going on, "how the hell have our TLS cert leaked to some random VPS hoster in Vietnam!?".
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.
> I have a friend who did similar tunneling a while ago. It also works on cruise ships.
Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.
I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)
They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)
If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.
$50 a day for internet is criminal, I don't care if you're at sea or in outer space.
Your sea communications literally do go to outer space. That's why it's so expensive.
10 years ago that was a valid excuse.
Starlink does not cost $50 per day
What does a Starlink installation cost (upfront and ongoing) to service 3000-5000 daily users at expected speeds?
Don't forget to price in the costs of installing and maintaining a WiFi network that works consistently in a metal ship whose interior is composed from prefab metal modules. (Hint: every cabin, every space, has one or more APs).
I haven't done the math, and I'm sure they profit on the offering, but I doubt it's as egregious as these replies make it sound.
(I thought about this a bit when I was on a cruise that offered Starlink this past summer.)
Edit: also don't forget that everyone gets free WiFi, it's just that internet access is restricted for guests who don't pay. So it does need to support the ship's full complement and passengers.
Presumably they maintain all those wifi access points regardless of whether or not anyone buys the wifi package. That lets the cruise app work. And the staff use wifi too.
I’m sure servicing thousands of people via starlink is expensive. But the cost is amortised over the number of people using it. Thousands of users should make internet access cheaper, not make it more expensive.
They also don’t provide “normal” internet speeds. I was usually getting about 20kBps - which is painfully slow. I tried to have a zoom call on the one day I paid for internet, and every minute or two we would get a latency spike of 10+ seconds. Those latency spikes went away on other days, but the speed never improved much.
The ship I was on is apparently quite old by modern standards. Maybe they don’t have enough starlink satellites installed or something. (It was definitely starlink). But if that’s the case, it makes the price they’re asking all the more outrageous. For $50/day I could probably bring my own starlink satellite on board and it would come out cheaper.
IIRC the cost of Starlink for ships is actually very high. Starts at $5k per month for a commercial vessel I think. Can’t imagine what it is for a passenger ship, but Musk is making his money to be sure.
So $1 per passenger-month or 3 cents. Network and access points were likely there already.
Starlink hardware (aka community hub) is $1.25M. Actual bandwidth cost is 75k per gbps per month.
Perhaps they allowed Apple Push Notification service so their own app can receive notifications?
Ah yeah that makes sense. They have messaging built into their app so you can message friends and family while onboard the ship. I didn't use it - but of course, if they block APNS, messages wouldn't be able to show up on the lock screen.
Allowing inbound messages is pressure on people to buy service so they can respond. I'd guess it was for evil marketing reasons.
I bet there some IT team at the cruise line that leaves these back doors in their systems deliberately as an “on-board activity” for their hacker customers.
Hah! Well it worked for me! It kept me entertained for the better part of a day.
I never figured out a way to route internet on my phone through my laptop. But it was probably for the best. It was lovely spending a few weeks with no internet connection on my phone, in arms reach away at all times.
I’m literally about to hop on a cruise ship tomorrow and trying to figure out how to solve for this, so this is timely.
You could just relax and unplug
The modern cruise ship techie Internet solution is a starlink mini. The cost of the dish plus service and a middle finger to the cruise ship company that your family dragged you on is worth more than the number of dollars it cost to go on the cruise. (The alternative, having a healthy family dynamic, is a whole other can of worms.)
agreed, though they are banning devices: https://cruisefever.net/no-starlink-allowed-why-cruise-ships...
Oh, the travel router trick. As a techie with too many devices, plus family, you use the travel router to buy the Internet package and then everyone else associates to the travel router and you don’t have to pay for Internet access six different times.
I've heard of cruise lines banning travel routers as well.
Security now confiscates those when you board the ship alongside your bottles of “mouthwash”.
Why do people continue to go on cruises? I've never been on one and have no desire to go.
Why do people comment on HN? Different strokes for different folks.
But basically you get to see a bunch of destinations while all your travel is organized for you, you never have to switch rooms and constantly pack/unpack, and the actual travel part is infinitely more comfortable.
A room and sundeck and pool beats a plane seat or train seat any day.
I'm not into cruises myself, but the appeal seems pretty understandable in terms of convenience.
Downside is you don’t see that much - you get 4-6 hours each day in some city and are offered incredibly expensive day tours (kinda worth it because you have so little time).
I doubt this is a legitimate question, but I'll bite: It is cheap.
Go price out hotels and food in any major destination for one week. Now go price out a cruise for one week which also includes entertainment and a travel component. Somehow, the cruise is CHEAPER and offers more.
That's it. That's the whole answer.
One reason its cheap ...
Long hours and low pay - Some workers face shifts of more than 12 hours a day, seven days a week, often without overtime pay. Wages can be very low, sometimes below $20 per day, though tips can supplement income. Workers often live in small, shared cabins with limited personal space. Ships often registered in countries with lax regulations. No pay between workers contracts
These are ONLY some of the reasons ....
It helps to be on a Panamanian registered vessel in international waters.
People who are older or with limited mobility find it far easier to get see multiple destinations without having to unpack/pack, navigate difficult airports, etc. I have been on a few, and while I’m not the biggest fan, they’re not terrible if you are traveling with folks who have mobility issues. I would not go on a cruise after COVID, though.
They’re also far less expensive than many other vacations, especially if you have kids and are considering Disney stuff.
Still a human Petri dish.
The amount of public WiFi's (including in-flight ones) I've bypassed by running a vpn server on udp port 53 is honestly insane. Sadly, this is becoming less commonplace many captive portals don't allow any egress at all aside from the captive portal's IP - but alas - still impressive how many are susceptible. It also bypasses traffic shaping (speed limiting) on most networks that are publicly accessible even if they do require some kind of authorization to enable external accessibility.
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
The networks where you can pay through the captive portal have to temporarily allow all traffic to load their payment widget and provide 3D-Secure (they don't know the domain your bank uses for that, so they have to allow all). Those can generally be bypassed by initiating the payment flow over and over again.
Some implementations of 3d secure load in an iframe, and the containing app waits for a postMessage from inside the iFrame to confirm that 3d secure has completed successfully
If you can load your own content into the iframe, and can figure out what the containing page web app is expecting, you can send window.parent.postMessage() and bypass 3dsecure
I had 8 IPs in a hetzner server years ago. One IP had an iptables rule to accept openvpn on any port.
My openvpn config was a long list of commonly accepted ports on either tcp or udp.
Startup would take a while but the number of times it worked was amazing.
Yea, I run wireguard & OpenVPN on port53 (different VPS) just in case it works. Unfortunately my experience with the "pay to use" WiFi so far has been they validate that port 53 is valid DNS traffic, and often don't allow arbitrary resolvers (e.g. `dig example.com @1.1.1.1` will not work)
You can use iodine and do a delegation from a real domain: It encodes packets in subdomains of your domain (and decodes them with a special DNS server). It is not fast.
I like to use SNI with e.g. pagead2.googlesyndication.com and www.googletagmanager.com because a lot of captive portals put ads on them, and I it on a google cloud instance since they own the IP.
I've gotten this to work, but it's just so slow that it's not worth it.
Those are great domains for this kinda thing! Thanks for the idea
There are also airline wifi these days that allow "free messaging" i.e. WhatsApp and Facebook Messenger traffic only.
If one could create a TCP-over-WhatsApp VPN that would be fantastic.
Airline-dependent but I have been able to browse HN over the "messaging" plan. Sometimes its just a data rate restriction, so HN works fine.
Even for genuine WhatsApp traffic the speed is limited so severely that loading a video or image someone sent you is nearly impossible.
TCP would be too wasteful - Whatsapp already has retransmissions/etc. You'd want to proxy at a higher layer such as HTTP and just relay HTTP messages (or ideally QUIC traffic so that you take advantage of header reuse/compression, etc - but somehow disable retransmissions since you're already on a reliable link).
I think this is a premature optimisation.
I'd rather have a straightforward TCP-over-WhatsApp proxy than some hacky thing that only works for HTTP, has to peek inside your TLS sessions, etc.
I think that's essentially what my HTTPS proxy does; except rather than actually being over WhatsApp (i.e. using WA messages or w/ever), the SNI tricks their authorization into thinking I'm using WA, while I am connecting to my proxy.
No, yours would immediately break if they whitelist IPs. This one is pretty much officially sanctioned WhatsApp traffic.
Ah right, if they also impose IP restrictions this would not work
You’d get banned from WhatsApp pretty fast doing that.
Just a heads up before you attempt something like this. When on a plane, you may be subject to laws you don’t know or understand. In the US this could be considered tampering with the aircraft electronic systems and potentially send you to jail for many years. So if you don’t want to find out perhaps pay the $30 or whatever it is for Internet access.
> tampering with the aircraft electronic systems
How? Unless I'm misunderstanding the word, "tampering" implies "making alterations to", and no aircraft systems are altered in any way - they are exactly as they were, doing exactly as they're programmed. (Ab)using the difference between implied programming and de-facto programming could be unauthorized access, but I don't see how that could possibly constitute tampering.
Not that I disagree with your overall point, just the tampering bit strikes me as particularly odd.
You may be right but it’s not up to you to determine if you are in violation of a federal law. If there’s a non-zero chance you can compromise the safety of the flight that’s all a prosecutor would need to charge you. Yes the possibilities of that happening are remote but also non-zero. So all I’m saying is make sure you calculate the risk and decide if saving $30 it’s worth a tiny possibility of a legal mess or even being banned from ever flying in that airline again. I’m risk averse for this kind of stuff so I would pay for internet access.
One surely can be charged with anything. What I'm trying to say is that tampering or compromising safety of the flight are IMHO highly improbable charges that are very unlikely to appear, and even less likely to stick. Hell, I strongly suspect airline is going to defend the hacker in this scenario, because they absolutely wouldn't want anyone (especially FAA) to ever think their firewall bug can affect flight safety.
I think it's well-known that entertainment systems have to be isolated from main systems of the aircraft. I'm not an expert, but I know that it was the case that IFEs weren't safe, plane(s) went down because of that, so we no longer do that.
All this said, I totally agree with you that there is a non-negligible chance that abusing the network policies could lead to some charges, possibly even criminal charges. Or, at the very least, lead to some unpleasantness that surely isn't worth 30 bucks. Just not the charges you're mentioning.
When you say the chance of an indictment is non-zero, does that mean you know of such a case? Do you have a link to a story or a case file?
I interviewed for a cybersecurity position with BA a little while back, it was a bit odd in general. I mentioned a few issues I thought were serious holes on their website, equivalent to the breach they ended up being fined for.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
BA was the one who got pwned with a card skimmer script on their checkout page, so this tracks.
On the other hand, in-flight Wi-Fi "security" and actual company property security don't have anything to do with it. The in-flight Wi-Fi isn't protecting anything, it's just there as an annoyance to get a few extra bucks similarly to catering (and just like the latter, typically outsourced to a third-party which just allows them to white-label it).
It’s also keeping it working. If they allow open access for everyone it would quickly be unworkable
Starlink-based ones have enough bandwidth for the whole plane to have workable bandwidth (just rate-limit based on client so no single heavy user hogs the entire bandwidth).
There's also an European one whose name currently escapes me which uses a custom flavor of LTE and special ground stations that also happily provides hundreds of mbps.
Capacity is primarily an issue on the legacy BGAN-based ones where you have a handful of mbps for the entire plane.
You can do 100s of mbps with a flag and a pair of binoculars...
Sorry, pet peeve: do you mean MB/s, Mb/s, or something else? Probably not the milli-bits per second (mbps) that you wrote.
mbps has always been used for megabits
I mean Mb/s; just reusing the same terminology a lot of speed tests use (they report in Mb/s but often refer to it as "mbps").
That's EAN, also used by BA as the backhaul.
That's the one, thanks!
Sadly most planes still run on legacy systems, it's not something that's ever a priority.
Yes those are awesome
I'm impressed BA even had such a position open. Bullet dodged!
> They said a pentest would find them if they were important.
Is it just me, or are pentests about as useless as a UK home survey? Like, they're not going to move the furniture to look for issues.
I've experienced many companies who think due diligence is done by paying a 3rd party company to do the annual pentest. Meanwhile, the eng that actually work on the product, and know about potential issues, can't get leadership buy-in to invest in security.
> as useless as a UK home survey
Hey it confirms the loft exists at least, by virtue of the surveyor sticking their head through the hatch
Is there a more cushty job in existence??
They're not all bad. We're selling our house and the buyer's surveyor was incredibly thorough - he picked up on some small issues I'd never even noticed even though they were right in front of my eyes the last few years (nothing serious though). He was so good that I'd definitely use him for any future moves.
Counterpoint: pentests are good to catch regressions over time.
Should it be your only security strategy? No. But it can help in combination with other solutions.
Pentests can be brilliant if you know the scope you want to have tested. The additional benefit being the business is more likely to pay (engineering time!) for fixes of the issues reported.
Maybe their job interviews are their pentest.
> Something along the lines of arbitrary subdomains which represent the request payload, and a custom nameserver that returns responses via the TXT record or something. Anyway…).
This is iodine. https://github.com/yarrick/iodine
I did something similar ~12 years ago, albeit it was just http(a) over UDP tunneling, and not DNS specifically.
I had to spend 8 hours in Stansted airport, and I managed to setup the tunnel while in the time limit of the free WiFi (I think it was 30'). It felt good, haha.
FWIW this is called https://en.wikipedia.org/wiki/Domain_fronting
As someone who thoroughly enjoys being forced to be offline when flying, as an escape from the world for a few hours, I hope your efforts do not lead to free wifi for all!
You've got free will right? Nobody forces you to be online, be it on a plane or on your sofa. Even if those around you are using the internet on a plane it's of zero consequence to you.
No, you don't, at least according to Robert Sapolsky https://www.amazon.com/Determined-Science-Life-without-Free-...
going up to heroin addicts and reminding them they have free will
Not all of us are heroin/wifi addicts. But when I am on a 16-hour flight with nothing to do, I can use the wifi do some work. I actually enjoy my work.
addiction is when you're free willing against your long term benefit)
Just don’t do all this work to get free wifi then lol
I think it's more about other passengers on tiktok etc.
They said that they enjoy being forced to be offline as an escape from the world, none of that has any implications of Others.
Exactly
I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.
SNI is used extensively by the Russian government for censorship. All DPI circumvention tools are based on mangling the ClientHello enough to confuse the DPI box but not enough for the destination server to notice anything.
Before SNI every https site needed a dedicated IP address. As https got more popular SNI was introduced
TLS might encrypt the contents but it doesn’t encrypt the destination or source IP (how could it?)
Funnily enough, I'm on a British Airways flight right this moment. I'm only using a basic Wireguard tunnel after enabling the free messaging plan. I get the sense they didn't design the firewall to block everything comprehensively.
Just bare wireguard on 51820? I think I had tried that but no luck; but I don't remember for sure.
I'm using a non-standard port (above 10000). Otherwise, nothing special about my configuration. Perhaps 51820 is blocked?
It is admittedly quite slow/intermittent though; I wouldn't be surprised if that's the reason it didn't look like it was working for you.
Wonder how long it is before it’s taken down. A previous post about a cruise was threatened with legal action
Do you have a link to the story?
Nice one,I just learnt about this website today
dig @ch.at "your question" TXT
Nice! I created tuningfork [1] a couple of months ago that proxies traffic through another node for the configured upstream. I wanted to understand networks, so rolled my own thing. And I wanted to bypass age verification laws in UK :)
[1] - https://github.com/mutn3ja/tuningfork
I also recently flew on BA and bypassed the free WiFi restrictions just by using a VPN. Not sure why that worked, but with Mullvad I was able to browse Hacker News in the air. Didn't need anything more advanced than that!
Were images broken by a rate limit and timed out? Packet size? I wonder if lowering the MTU on the interface would have made them work.
Looks like you were rate limited at the end. They don't rate-limit britishairways.com which is a SNI that you can always access. Lolz.
I remember using Streisand to solve this years ago. Apparently it's abandoned now though.
https://github.com/StreisandEffect/streisand
I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible. I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI. Appliances like Allot or Sandvine are in this market since more than a decade.
What's up with the dates? The HN page shown in the screenshot is from 18-05-2025 around 1pm GMT, while the curl commands show a date of 09-05-2025. The story sounded like it was a single journey from EDI to HKG via LHR.
Sorry if its a bit unclear; the first part was HKG -> LHR when I kinda discovered it (9th May), and then the HTTPS proxy test was my flight back LHR -> HKG (18th May)
Got it. Nice work and great write-up! Teaches a few things.
If you use Lyrebird not only can you obfuscate your traffic behind various transports, it does domain fronting by default. Don't have to jump through this many hoops.
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...
…in case anyone else needed a link.
Thanks. That README is a bit out of date from when the project just implemented a single transport, this is more accurate[1]. It's what's used in the latest Tor Browser.
[1] https://support.torproject.org/tbb/lyrebird/
Hmmm can you hide vpn traffic this way?
A TOR dev gave a recent talk at DEFCON [1], and described this as one of the ways that attempts at nationwide blocks to the TOR network are implemented. I'm not sure that it's exactly the same as domain fronting, since that might involve a CDN, but the technique is very close.
[1] https://youtu.be/djM70O0SnsY
That's really cool I never thought about having your own host and then faking the SNI.
I find it pathetic that vendors and ISPs are snooping SNI headers to block things, looking at you, UK.
Also, I wonder what will happen if those instant messaging apps move to Encrypted SNI (ECH), will they just not work, or is there fallback?
There may not be any "free messaging" or similar offers is my guess. In fact using ECH it is already possible to spoof the SNI but make a real TLS handshake to the underlying domain; you can try it on my test website[0] with wireshark open on the side (if your browser supports ECH)
[0] https://rfc5746.mywaifu.best:4443/
Eventually airlines will just whitelist IP ranges for free messaging-only access.
Almost impossible task. The public IPs change every time. Usually they are on CDN that have a very large IP range.
And if they allow large IP ranges, one could try to spin up a virtual machine on the same cloud provider as the messaging platform.
> Almost impossible task
Except if the messengers happily collude with you, which Facebook does - they have a website (can't remember the link) where network providers can get IP ranges and other information to enable "zero rating" for Facebook's properties.
Or even provide proxies to run on the airline network
Wait a minute: the guy did all this during a flight?
Half of it. He also describes some preparations he did while in the destination and a final test on a flight back.
Yep; on my way to LHR I was intrigued by their "free messaging" and wanted to poke around, with the SNI hypothesis I did the actual HTTPS proxy setup on a VPS while in the UK, so I could actually try and proxy arbitrary browser traffic on the way back
I am insanely productive on airplanes, I'm sure others are the same.
He wrote at the end he hoped his idea and all preparations will work, because he wouldn't be able to repeat the steps while in-flight.
I wonder how generalizable this is to other airlines
iodine is just easier in general, but since many airlines use the same vendor - probably the same.
At some point the cost of the meter exceeds the value of the product being metered. This happened very soon after hotels really jacked up telephone bills. Somehow they decided not to stop being silly, simply to bill the ignorant or lazy and airlines look to be cut from the same DNA: we're maybe going to wind up with viable cellular comms inside aircraft that bypasses the airline.
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
Cool
I totally believe pirating is not stealing, but this really is. Tech people are probably the highest paid profession now, you still dont want to pay for your wifi?
This person just shared (for free) tons of experience, knowledge and insight into thinking/problem-solving process, for others to enjoy and learn from - and your only comment is attack on them for "stealing" somehow, by not sending e.g. 300 WA messages, but instead kilobytes of HN content?
How much would you calculate was stolen this way? Based on which factors?
As a side note, those pesky "tech people" are most certainly not THE most paid profession, now or ever.
I wouldn’t be upset to see a disclaimer that this was done as a proof of a technical concept and not to save a buck.
For readers, I totally understand trying at once but it would be odd if e.g. someone I know who makes six figures told me they exploited this on every leg of their journey.
We wouldn’t want to fill our water cups with soda even if it only costs the restaurant a penny.
So this, in your opinion, causes more damage than violating someone's copyrights? This is quite literally just using a resource than would otherwise be wasted. Of course, the electricity use is lower if less people use this network, but this is negligible.
>just using a resource than would otherwise be wasted
I take care with this line of reasoning. It could be extended to a college class with an extra seat at the back, a chairlift at a ski resort on a slow day, that kind of thing. Using either can lead to theft of services charges.
Oh, it absolutely can lead to charges (same as piracy referred to in the comment I responded to), which doesn't change the fact that it is using a resource that would otherwise be wasted. A college class is a perfect example. Not every illegal act is unethical.
Back in high school, I sat in on plenty of college classes with an extra seat at the back. Nobody seemed to mind.