HN Reader

Funnily enough, I'm on a British Airways flight right this moment. I'm only using a basic Wireguard tunnel after enabling the free messaging plan. I get the sense they didn't design the firewall to block everything comprehensively.

> Something along the lines of arbitrary subdomains which represent the request payload, and a custom nameserver that returns responses via the TXT record or something. Anyway…).

This is iodine. https://github.com/yarrick/iodine

I have a friend who did similar tunneling a while ago. It also works on cruise ships.

He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.

My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.

(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).

I interviewed for a cybersecurity position with BA a little while back, it was a bit odd in general. I mentioned a few issues I thought were serious holes on their website, equivalent to the breach they ended up being fined for.

They said a pentest would find them if they were important.

I think we parted with both parties unimpressed with the other.

The amount of public WiFi's (including in-flight ones) I've bypassed by running a vpn server on udp port 53 is honestly insane. Sadly, this is becoming less commonplace many captive portals don't allow any egress at all aside from the captive portal's IP - but alas - still impressive how many are susceptible. It also bypasses traffic shaping (speed limiting) on most networks that are publicly accessible even if they do require some kind of authorization to enable external accessibility.

Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.

Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.

As someone who thoroughly enjoys being forced to be offline when flying, as an escape from the world for a few hours, I hope your efforts do not lead to free wifi for all!

I remember using Streisand to solve this years ago. Apparently it's abandoned now though.

https://github.com/StreisandEffect/streisand

Just a heads up before you attempt something like this. When on a plane, you may be subject to laws you don’t know or understand. In the US this could be considered tampering with the aircraft electronic systems and potentially send you to jail for many years. So if you don’t want to find out perhaps pay the $30 or whatever it is for Internet access.

I totally believe pirating is not stealing, but this really is. Tech people are probably the highest paid profession now, you still dont want to pay for your wifi?

At some point the cost of the meter exceeds the value of the product being metered. This happened very soon after hotels really jacked up telephone bills. Somehow they decided not to stop being silly, simply to bill the ignorant or lazy and airlines look to be cut from the same DNA: we're maybe going to wind up with viable cellular comms inside aircraft that bypasses the airline.

"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.

I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible. I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI. Appliances like Allot or Sandvine are in this market since more than a decade.

Were images broken by a rate limit and timed out? Packet size? I wonder if lowering the MTU on the interface would have made them work.

Cool

Wait a minute: the guy did all this during a flight?

Nice one,I just learnt about this website today

dig @ch.at "your question" TXT

What's up with the dates? The HN page shown in the screenshot is from 18-05-2025 around 1pm GMT, while the curl commands show a date of 09-05-2025. The story sounded like it was a single journey from EDI to HKG via LHR.

Eventually airlines will just whitelist IP ranges for free messaging-only access.

I also recently flew on BA and bypassed the free WiFi restrictions just by using a VPN. Not sure why that worked, but with Mullvad I was able to browse Hacker News in the air. Didn't need anything more advanced than that!

I wonder how generalizable this is to other airlines

If you use Lyrebird not only can you obfuscate your traffic behind various transports, it does domain fronting by default. Don't have to jump through this many hoops.

Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)

I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.

FWIW this is called https://en.wikipedia.org/wiki/Domain_fronting

Nice! I created tuningfork [1] a couple of months ago that proxies traffic through another node for the configured upstream. I wanted to understand networks, so rolled my own thing. And I wanted to bypass age verification laws in UK :)

[1] - https://github.com/mutn3ja/tuningfork

That's really cool I never thought about having your own host and then faking the SNI.

I find it pathetic that vendors and ISPs are snooping SNI headers to block things, looking at you, UK.

Also, I wonder what will happen if those instant messaging apps move to Encrypted SNI (ECH), will they just not work, or is there fallback?

Hmmm can you hide vpn traffic this way?

Looks like you were rate limited at the end. They don't rate-limit britishairways.com which is a SNI that you can always access. Lolz.

Wonder how long it is before it’s taken down. A previous post about a cruise was threatened with legal action