HN Reader

I have a friend who did similar tunneling a while ago. It also works on cruise ships.

He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.

My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.

(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).

The amount of public WiFi's (including in-flight ones) I've bypassed by running a vpn server on udp port 53 is honestly insane. Sadly, this is becoming less commonplace many captive portals don't allow any egress at all aside from the captive portal's IP - but alas - still impressive how many are susceptible. It also bypasses traffic shaping (speed limiting) on most networks that are publicly accessible even if they do require some kind of authorization to enable external accessibility.

Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.

Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.

As someone who thoroughly enjoys being forced to be offline when flying, as an escape from the world for a few hours, I hope your efforts do not lead to free wifi for all!

I also recently flew on BA and bypassed the free WiFi restrictions just by using a VPN. Not sure why that worked, but with Mullvad I was able to browse Hacker News in the air. Didn't need anything more advanced than that!

Just a heads up before you attempt something like this. When on a plane, you may be subject to laws you don’t know or understand. In the US this could be considered tampering with the aircraft electronic systems and potentially send you to jail for many years. So if you don’t want to find out perhaps pay the $30 or whatever it is for Internet access.

Nice! I created tuningfork [1] a couple of months ago that proxies traffic through another node for the configured upstream. I wanted to understand networks, so rolled my own thing. And I wanted to bypass age verification laws in UK :)

[1] - https://github.com/mutn3ja/tuningfork

Nice one,I just learnt about this website today

dig @ch.at "your question" TXT

Looks like you were rate limited at the end. They don't rate-limit britishairways.com which is a SNI that you can always access. Lolz.

Wonder how long it is before it’s taken down. A previous post about a cruise was threatened with legal action

I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.

I interviewed for a cybersecurity position with BA a little while back, it was a bit odd in general. I mentioned a few issues I thought were serious holes on their website, equivalent to the breach they ended up being fined for.

They said a pentest would find them if they were important.

I think we parted with both parties unimpressed with the other.

Funnily enough, I'm on a British Airways flight right this moment. I'm only using a basic Wireguard tunnel after enabling the free messaging plan. I get the sense they didn't design the firewall to block everything comprehensively.

FWIW this is called https://en.wikipedia.org/wiki/Domain_fronting

> Something along the lines of arbitrary subdomains which represent the request payload, and a custom nameserver that returns responses via the TXT record or something. Anyway…).

This is iodine. https://github.com/yarrick/iodine

I'm not bashing, but just want to remind about the alt attribute on images. The BA messaging wifi is an example of a use cases where images might not work as pointed out in the article and an alternative description would be needed. But the article itself is using images with alt text.

I wonder how generalizable this is to other airlines

I remember using Streisand to solve this years ago. Apparently it's abandoned now though.

https://github.com/StreisandEffect/streisand

What's up with the dates? The HN page shown in the screenshot is from 18-05-2025 around 1pm GMT, while the curl commands show a date of 09-05-2025. The story sounded like it was a single journey from EDI to HKG via LHR.

I totally believe pirating is not stealing, but this really is. Tech people are probably the highest paid profession now, you still dont want to pay for your wifi?

If you use Lyrebird not only can you obfuscate your traffic behind various transports, it does domain fronting by default. Don't have to jump through this many hoops.

Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)

Eventually airlines will just whitelist IP ranges for free messaging-only access.

Hmmm can you hide vpn traffic this way?

That's really cool I never thought about having your own host and then faking the SNI.

I find it pathetic that vendors and ISPs are snooping SNI headers to block things, looking at you, UK.

Also, I wonder what will happen if those instant messaging apps move to Encrypted SNI (ECH), will they just not work, or is there fallback?

Cool

Wait a minute: the guy did all this during a flight?

At some point the cost of the meter exceeds the value of the product being metered. This happened very soon after hotels really jacked up telephone bills. Somehow they decided not to stop being silly, simply to bill the ignorant or lazy and airlines look to be cut from the same DNA: we're maybe going to wind up with viable cellular comms inside aircraft that bypasses the airline.

"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.

I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible. I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI. Appliances like Allot or Sandvine are in this market since more than a decade.

Were images broken by a rate limit and timed out? Packet size? I wonder if lowering the MTU on the interface would have made them work.