I have a friend who did similar tunneling a while ago. It also works on cruise ships.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).
This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
Someone was using Xray, proxying to my employer, and it was detected in our attack surface management tool (Censys). I had some quite stressful few minutes before I realised what was going on, "how the hell have our TLS cert leaked to some random VPS hoster in Vietnam!?".
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.
> I have a friend who did similar tunneling a while ago. It also works on cruise ships.
Hah I was just about to say the same thing! I just got home from a ~3 week cruise. Internet on the ship was absurdly expensive ($50/day). And its weird - they have wifi and a phone app that works over the internet even if you don't pay. Google maps seemed to work. And my phone could receive notifications from apple just fine. But that was about it.
I spend some time staring at wireshark traces. It looks like every TCP connection is allowed to send and receive a couple packets normally. Then they take a close look at those packets to see if the connection should be allowed or blocked & reset. I'm not sure about other protocols, but for TLS, they look for a ClientHello. If preset, the domain is checked to see if its on a whitelist. Anything on their whitelist is allowed even if you aren't paying for internet. Whitelisted domains include the website of the cruise company and a few countries' visa offices. The cruise app works by whitelisting the company's own domain name. (Though I'm still not sure how my phone was getting notifications.)
They clearly know about the problem. There's some tools that make it easy to work around a block like this. But the websites for those tools are themselves blocked, even if you pay for internet. :)
If you figure out how to take advantage of this loophole, please don't abuse it too much or advertise the workaround. If it gets too well known or widely abused, they'll need to plug this little hole. And that would be a great pity indeed.
What does a Starlink installation cost (upfront and ongoing) to service 3000-5000 daily users at expected speeds?
Don't forget to price in the costs of installing and maintaining a WiFi network that works consistently in a metal ship whose interior is composed from prefab metal modules. (Hint: every cabin, every space, has one or more APs).
I haven't done the math, and I'm sure they profit on the offering, but I doubt it's as egregious as these replies make it sound.
(I thought about this a bit when I was on a cruise that offered Starlink this past summer.)
Edit: also don't forget that everyone gets free WiFi, it's just that internet access is restricted for guests who don't pay. So it does need to support the ship's full complement and passengers.
Presumably they maintain all those wifi access points regardless of whether or not anyone buys the wifi package. That lets the cruise app work. And the staff use wifi too.
I’m sure servicing thousands of people via starlink is expensive. But the cost is amortised over the number of people using it. Thousands of users should make internet access cheaper, not make it more expensive.
They also don’t provide “normal” internet speeds. I was usually getting about 20kBps - which is painfully slow. I tried to have a zoom call on the one day I paid for internet, and every minute or two we would get a latency spike of 10+ seconds. Those latency spikes went away on other days, but the speed never improved much.
The ship I was on is apparently quite old by modern standards. Maybe they don’t have enough starlink satellites installed or something. (It was definitely starlink). But if that’s the case, it makes the price they’re asking all the more outrageous. For $50/day I could probably bring my own starlink satellite on board and it would come out cheaper.
That is very different to my experience using it on the ship we were on. I was able to stream TV shows in full quality with no issues, took phone calls from work a few times over WiFi too.
I have never used Starlink otherwise and, frankly, expected much worse service - especially on a cruise ship.
I'd definitely be unhappy paying $50/day for what you described. But I paid less (there was a discount for buying a package ahead of time for my family's devices) and got better service it sounds like.
IIRC the cost of Starlink for ships is actually very high. Starts at $5k per month for a commercial vessel I think. Can’t imagine what it is for a passenger ship, but Musk is making his money to be sure.
Ah yeah that makes sense. They have messaging built into their app so you can message friends and family while onboard the ship. I didn't use it - but of course, if they block APNS, messages wouldn't be able to show up on the lock screen.
> Though I'm still not sure how my phone was getting notifications.
Almost all of these special pricing/zero-rating schemes will include platform push in the zero rated traffic. Can't use anything without it, and most of the platforms have public pages describing how to identify their traffic, because there's lots of networks that want to allow it.
I bet there some IT team at the cruise line that leaves these back doors in their systems deliberately as an “on-board activity” for their hacker customers.
Hah! Well it worked for me! It kept me entertained for the better part of a day.
I never figured out a way to route internet on my phone through my laptop. But it was probably for the best. It was lovely spending a few weeks with no internet connection on my phone, in arms reach away at all times.
The modern cruise ship techie Internet solution is a starlink mini. The cost of the dish plus service and a middle finger to the cruise ship company that your family dragged you on is worth more than the number of dollars it cost to go on the cruise. (The alternative, having a healthy family dynamic, is a whole other can of worms.)
Oh, the travel router trick. As a techie with too many devices, plus family, you use the travel router to buy the Internet package and then everyone else associates to the travel router and you don’t have to pay for Internet access six different times.
Why do people comment on HN? Different strokes for different folks.
But basically you get to see a bunch of destinations while all your travel is organized for you, you never have to switch rooms and constantly pack/unpack, and the actual travel part is infinitely more comfortable.
A room and sundeck and pool beats a plane seat or train seat any day.
I'm not into cruises myself, but the appeal seems pretty understandable in terms of convenience.
Downside is you don’t see that much - you get 4-6 hours each day in some city and are offered incredibly expensive day tours (kinda worth it because you have so little time).
People who are older or with limited mobility find it far easier to get see multiple destinations without having to unpack/pack, navigate difficult airports, etc. I have been on a few, and while I’m not the biggest fan, they’re not terrible if you are traveling with folks who have mobility issues. I would not go on a cruise after COVID, though.
They’re also far less expensive than many other vacations, especially if you have kids and are considering Disney stuff.
I doubt this is a legitimate question, but I'll bite: It is cheap.
Go price out hotels and food in any major destination for one week. Now go price out a cruise for one week which also includes entertainment and a travel component. Somehow, the cruise is CHEAPER and offers more.
Long hours and low pay - Some workers face shifts of more than 12 hours a day, seven days a week, often without overtime pay.
Wages can be very low, sometimes below $20 per day, though tips can supplement income.
Workers often live in small, shared cabins with limited personal space.
Ships often registered in countries with lax regulations.
No pay between workers contracts
There is a level of convenience that is hard to get elsewhere.
I went on a Disney cruise 2 summers ago. All restaurants were in walking distance. All of deck 5 was dedicated to child care. They took you straight to excursions. Family was close, but not too close.
There were some downsides, too, but let's not focus on those. I think the "king" reason we went is because the grandparents were paying and they wanted everyone to be "there" and not leaving. I think the main reason we aren't going again is cost.
He discovered that on some airlines (I think American?), they use an advanced fortinet firewall that doesn't just look at the SNI -- it also checks that the certificate presented by the server has the correct hostname and is issued by a legit certificate authority.
My friend got around that restriction by making the tunnel give the aa.com SNI, and then forward a real server hello and certificate from aa.com (in fact I think he forwards the entire TLS 1.2 handshake to/from aa.com). But then as soon as the protocol typically would turn into encrypted application data, he ignores whatever he sent in the handshake and just uses it as an encrypted tunnel.
(The modern solution is just to use TLS 1.3, which encrypts the server certificate and hence prevents the firewall from inspecting the cert, reducing the problem back to just spoofing the SNI).