> Something along the lines of arbitrary subdomains which represent the request payload, and a custom nameserver that returns responses via the TXT record or something. Anyway…).
If you use Lyrebird not only can you obfuscate your traffic behind various transports, it does domain fronting by default. Don't have to jump through this many hoops.
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
I have a friend who did similar tunneling a while ago. It also works on cruise ships.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
The amount of public WiFi's (including in-flight ones) I've bypassed by running a vpn server on udp port 53 is honestly insane. Sadly, this is becoming less commonplace many captive portals don't allow any egress at all aside from the captive portal's IP - but alas - still impressive how many are susceptible. It also bypasses traffic shaping (speed limiting) on most networks that are publicly accessible even if they do require some kind of authorization to enable external accessibility.
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
At some point the cost of the meter exceeds the value of the product being metered. This happened very soon after hotels really jacked up telephone bills. Somehow they decided not to stop being silly, simply to bill the ignorant or lazy and airlines look to be cut from the same DNA: we're maybe going to wind up with viable cellular comms inside aircraft that bypasses the airline.
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
As someone who thoroughly enjoys being forced to be offline when flying, as an escape from the world for a few hours, I hope your efforts do not lead to free wifi for all!
I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible.
I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI.
Appliances like Allot or Sandvine are in this market since more than a decade.
Funnily enough, I'm on a British Airways flight right this moment. I'm only using a basic Wireguard tunnel after enabling the free messaging plan. I get the sense they didn't design the firewall to block everything comprehensively.
What's up with the dates? The HN page shown in the screenshot is from 18-05-2025 around 1pm GMT, while the curl commands show a date of 09-05-2025. The story sounded like it was a single journey from EDI to HKG via LHR.
I also recently flew on BA and bypassed the free WiFi restrictions just by using a VPN. Not sure why that worked, but with Mullvad I was able to browse Hacker News in the air. Didn't need anything more advanced than that!
I interviewed for a cybersecurity position with BA a little while back, it was a bit odd in general. I mentioned a few issues I thought were serious holes on their website, equivalent to the breach they ended up being fined for.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
Nice! I created tuningfork [1] a couple of months ago that proxies traffic through another node for the configured upstream. I wanted to understand networks, so rolled my own thing. And I wanted to bypass age verification laws in UK :)
I totally believe pirating is not stealing, but this really is. Tech people are probably the highest paid profession now, you still dont want to pay for your wifi?
I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.
30 comments
[ 3.1 ms ] story [ 35.4 ms ] threadThis is iodine. https://github.com/yarrick/iodine
I find it pathetic that vendors and ISPs are snooping SNI headers to block things, looking at you, UK.
Also, I wonder what will happen if those instant messaging apps move to Encrypted SNI (ECH), will they just not work, or is there fallback?
Also, allegedly, MAC spoofing of already authenticated clients can bypass many of these paywall-gated hotspots :)
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
Highly recommend softether as they give you juicy Azure relay capability for free which is allowed in more "whitelist only" networks than your own vps server.
Haven't gone so far as to enable iodine for actual two-way dns communication through a third party DNS resolver, but that would probably work in more cases than this, albeit slower.
"Stealing" ip flows over Port 53 isn't the way out, the path out is having RF which doesn't flow through the airline's base station.
They said a pentest would find them if they were important.
I think we parted with both parties unimpressed with the other.
[1] - https://github.com/mutn3ja/tuningfork
dig @ch.at "your question" TXT