WingNews logo WingNews
top | item 45701304

(no title)

markasoftware | 4 months ago

I have a friend who did similar tunneling a while ago. It also works on cruise ships.

He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.

My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.

(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).

discuss

order

amritananda|4 months ago

This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).

It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.

[1] https://github.com/XTLS/Xray-core

filleokus|4 months ago

Someone was using Xray, proxying to my employer, and it was detected in our attack surface management tool (Censys). I had some quite stressful few minutes before I realised what was going on, "how the hell have our TLS cert leaked to some random VPS hoster in Vietnam!?".

Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.

josephg|4 months ago

> I have a friend who did similar tunneling a while ago. It also works on cruise ships.

Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.

I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)

They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)

If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.

walthamstow|4 months ago

$50 a day for internet is criminal, I don't care if you're at sea or in outer space.

catgirlinspace|4 months ago

Perhaps they allowed Apple Push Notification service so their own app can receive notifications?

CGamesPlay|4 months ago

I bet there some IT team at the cruise line that leaves these back doors in their systems deliberately as an “on-board activity” for their hacker customers.

toast0|4 months ago

> Though I'm still not sure how my phone was getting notifications.

Almost all of these special pricing/zero-rating schemes will include platform push in the zero rated traffic. Can't use anything without it, and most of the platforms have public pages describing how to identify their traffic, because there's lots of networks that want to allow it.

fragmede|4 months ago

The modern cruise ship techie Internet solution is a starlink mini. The cost of the dish plus service and a middle finger to the cruise ship company that your family dragged you on is worth more than the number of dollars it cost to go on the cruise. (The alternative, having a healthy family dynamic, is a whole other can of worms.)

kotaKat|4 months ago

Security now confiscates those when you board the ship alongside your bottles of “mouthwash”.

7thpower|4 months ago

I’m literally about to hop on a cruise ship tomorrow and trying to figure out how to solve for this, so this is timely.

grogenaut|4 months ago

You could just relax and unplug