[HN Gopher] Tunneling Wikipedia through WhatsApp to (maybe?) get...
___________________________________________________________________
Tunneling Wikipedia through WhatsApp to (maybe?) get around WiFi
restrictions
Author : otras
Score : 347 points
Date : 2022-05-21 23:34 UTC (23 hours ago)
(HTM) web link (alexanderell.is)
(TXT) w3m dump (alexanderell.is)
| smashah wrote:
| You'd be surprised what kind of automations people build on top
| of WhatsApp. Also, you can use free alternatives to the Twilio
| API to do more than just text-based automation.
| kmarc wrote:
| Cool pet project, admirable engineering etc.
|
| My comment is about something else: net neutrality, as someone
| already mentioned.
|
| I was teaching English in Laos for school kids. I was amazed that
| some of their families struggle with providing (nutritious
| enough) food for their children, yet, everyone had smartphones
| with always-on 4G,even in the countryside - however, no WiFi
| almost anywhere.
|
| The brains of these kids are like sponge. They WANT to learn,
| they're shy, but they want to speak, to read, to practice
| English. They also like to (constantly) sing (something that is
| badly missing from western schools), so at one point I referred
| them to "simple English Wikipedia", where they can research their
| favorite singers with easy-to-process articles.
|
| Empty stares.
|
| "so instead of Wikipedia.org, you go to simple.wikipedia.org."
|
| Still nothing.
|
| I had to realize later that even if they knew that this free,
| always available encyclopedia exists, it's NOT included in their
| 4G subscription.
|
| Yes, you guessed correctly: those subscriptions are sponsored by
| big US / Chinese corps, so all these kids had were Facebook,
| Instagram, WhatsApp and TikTok, everything else costs ~10$ which
| is days worth of meals for whole families there.
| KermitTheFrog wrote:
| You may try to write an email/better official mail or even
| visit personally to local cellulars marketing teams to include
| wikipedia to the subscriptions. You may propose them as PR
| action: future-care, education-care name it. Trust me it may
| definetelly works.(I did it many times("tune up" some events)
| but I worked inside the cellular companies) The main problem
| may be is to the break the "first line" of "corporative
| bureaucracy" defence.
| kmarc wrote:
| It feels like this is a lost case... Since then I spent a
| couple months in Ecuador (and other SouthAmerican countries),
| and what I see, was similar:
|
| Less fortunate people, whose (only?) entertainment is
| TikTok/YouTube/Facebook constantly on their phones. Well,
| Claro (cell provider with one of the best 3G/4G coverage on
| Galapagos) greets you with a Facebook(!!!) page explaining
| that Facebook&sister apps are brought to you for free.
|
| There is zero incentive from any sides to fix this situation.
| The provider is not interested in ditching Meta, Meta is not
| interested in promoting anything else, and unfortunately most
| probably one of them (or both) already paid some gobernadores
| to shut up and keep the status quo of pointing people to ads,
| ads, and more ads.
| nikanj wrote:
| Wikipedia contains non-disney-fied facts, like sex education
| and the Armenian genocide. Not sure if operators would be
| keen to include it.
|
| "AT&T is subjecting our kids to blasphemy" is a real PR
| problem in many countries
| 867-5309 wrote:
| in this instance a simple vpn or proxy should suffice. they
| could get by on free subscriptions for textual content
| kmarc wrote:
| > vpn
|
| > proxy
|
| These are solutions for ME and YOU when we are there as
| tourists (if we really want to chop off that $10 from our
| travel budget). Probably not a solution for people who have
| never heard of websites like Wikipedia.
| 867-5309 wrote:
| if you are introducing them to a new website, they will
| have to remember the address, or create a shortcut/homepage
|
| vpns have "set and forget" autoconnect functionality
|
| it's quite common practice for the more liberal East. how
| do you think they access the wider internet otherwise?
| KolenCh wrote:
| They are talking about people in Laos, and the sponsored
| $10 subscription is considered to be a significant
| portion of their spending already.
|
| Why are you then comparing to rich people in China where
| VPN is commodity?
| 867-5309 wrote:
| >they could get by on free subscriptions
| yorwba wrote:
| > all these kids had were Facebook, Instagram, WhatsApp
| and TikTok, everything else costs ~10$
|
| I don't think any of those four products includes free
| VPN. You'd need to tunnel Wikipedia through WhatsApp
| instead, or something.
| 867-5309 wrote:
| I don't think that's a representation of the full
| picture. a cheap android phone would undoubtedly also
| come with google preinstalled, thus cache/AMP access to
| Wikipedia
|
| I don't think a telecoms company or phone manufacturer
| could reliably restrict the ever changing landscape of
| internet access without affecting usability and social
| media consumption
|
| I don't think they are using customised iPhones where
| perhaps such limits may be imposed
|
| I don't think any determined Laotian kid would consider a
| free vpn an obstacle
|
| I don't think it's unreasonable to say where there's a
| will there's a way
|
| I don't think it's an impossible feat
| kmarc wrote:
| I think you are trying to find a technical solution to a
| social problem. Eventually technical solutions will be
| needed, yes.
|
| Right now it's unreal to even think about VPNs and
| proxies and customized phones etc. It's not a technical
| obstacle for that Lao kid, it's a different universe,
| they never even heard of, nor their peers, parents,
| teachers, or anyone in their surroundings.
| yorwba wrote:
| > a cheap android phone would undoubtedly also come with
| google preinstalled
|
| Plenty of Android phones don't come with Google
| preinstalled.
|
| > thus cache/AMP access to Wikipedia
|
| Even if you have Google on your phone, that doesn't mean
| you won't need a paid data plan to actually use it.
|
| > I don't think a telecoms company or phone manufacturer
| could reliably restrict the ever changing landscape of
| internet access without affecting usability and social
| media consumption
|
| But that's the point? If you want better usability,
| you're expected to pay for full internet access.
| Snowworm wrote:
| If they whitelisted only social media rather than
| blacklisting websites, I highly doubt a VPN or proxy would
| work unless it was provided by Google, Facebook or Tiktok.
| andrewxdiamond wrote:
| How would a VPN work if there is an allowlist of domains? The
| VPN traffic would get blocked, no?
| 867-5309 wrote:
| they operate at a lower OSI level and use various
| obfuscation techniques
| FrenchDevRemote wrote:
| I don't see how that change anything
|
| They obviously charge for anything that is no whitelisted
|
| And the IP of the VPN all the traffic would pass through
| is definetly not whitelisted...
|
| If they allow Google you could MAYBE host a VPN on google
| cloud but besides that there is absolutely no way this
| changes anything
| McNutty wrote:
| If you know anyone still involved over there you should let
| them know about the Kiwix project!
|
| >Kiwix is an offline reader for online content like Wikipedia,
| Project Gutenberg, or TED Talks. It makes knowledge available
| to people with no or limited internet access. The software as
| well as the content is free to use for anyone.
| redeyedtreefrog wrote:
| That's interesting, inspired me to go down a bit of a wikipedia
| rabbit hole reading about internet.org, facebook zero,
| wikipedia zero, and zero-rating generally.
|
| It seems mobile wikipedia is zero-rated in many countries, but
| by no means all, as indicated by the table on this page:
| https://en.wikipedia.org/wiki/Zero-rating
|
| Though many countries don't have any info in the above table
| (including Laos), and I think the "Zero Wikipedia" column may
| be obsolete as that project was apparently shut down in 2018.
| harias wrote:
| https://internet-in-a-box.org/ might come in handy.
|
| Facebook tried the same in India but was quickly shutdown:
| https://www.wired.com/2016/02/facebooks-free-basics-app-is-n...
| lelandfe wrote:
| This stuff is such a gray area for me. I'm staunchly pro-net
| neutrality, but depriving people of the internet altogether
| means losing a huge asset for learning, a platform for
| financial success that otherwise is unattainable, and more.
|
| _But_ then you read about the success of Facebook in
| emerging markets in Africa and it becomes even murkier.
| Basics has caused Facebook to become utterly dominant in many
| African countries[0], and that's precisely what net
| neutrality tries to prevent. That's so much power. I don't
| know what the right answer is.
|
| [0] https://www.theguardian.com/technology/2022/jan/20/facebo
| ok-...
| Litost wrote:
| Thanks I'd not heard of internet in a box, I love how it
| empowers people to determine their own requirements and solve
| their own issues rather than just be another excuse to form
| more dependencies on facebook.
| anon4da8e87f wrote:
| nice project, I've did something like this too, except I tunneled
| the internet traffic through SMS, so I could access the internet
| through my feature phone lol
| 1vuio0pswjnm7 wrote:
| Of all the possible websites to choose as an example, Wikipedia
| is a strange choice since, unlike most websites, one can download
| its database and query it offline. For example,
|
| https://en.wikipedia.org/wiki/Wikipedia:Database_download
|
| https://download.kiwix.org/zim/
|
| Some other ways to search and read Wikipedia offline:
| XOWA: (S: XOWA) WikiTaxi: S: WikiTaxi (for Windows)
| aarddict: S: Aard Dictionary BzReader: S: BzReader and
| MzReader (for Windows) Selected Wikipedia articles as a
| printed document: Help:Printing Wiki as E-Book: S:
| E-book WikiFilter: S: WikiFilter Wikipedia on
| rockbox: S: Wikiviewer for Rockbox
| ngcc_hk wrote:
| Saw that page:
| https://en.m.wikipedia.org/wiki/Wikipedia:Database_download and
| where which will be suitable for ebook reader for free.
| timetraveller26 wrote:
| In a good world we would have free wikipedia access anywhere, no
| cost.
|
| Then we could learn anything we needed.
|
| https://xkcd.com/548/
| [deleted]
| aero-glide2 wrote:
| That doesn't follow net neutrality though.
| antman wrote:
| Looks like a generalizable solution. Is there an option to also
| embed images?
| hegzploit wrote:
| Would it be possible to spoof the host and get free internet,
| that's something I've always thought about when facing such
| limits.
| cortesoft wrote:
| No, because they aren't basing it on the host header or
| something.
| mgarciaisaia wrote:
| The real, important value of implementing IP over WhatsApp (in a
| proper, transparent way as other commenters are stating, and not
| from a chatbot as in the article) is not to avoid paying $5 for
| WiFi on a plane, but to protest the lack of net neutrality in an
| effective way.
| DeathArrow wrote:
| I fail to see the practicality of this. Since the reason
| presented was not to pay for WiFi but you still have to pay a
| service like Twillio if you want to construct a Whatsapp to
| whatever gateway.
|
| Also, why not construct a Whatsapp to HTTP gateway, since
| pictures and other binary data can be transformed with ease into
| text by something like base64 encoding. Sure, it would still not
| be practical, but it would be a better proof of concept.
| can16358p wrote:
| Would this be extended to tunnel an SSH session over WhatsApp?
|
| While obviously not super convenient, it'd be interesting to type
| commands and get results.
|
| Of course any interactive terminal wouldn't work, but for simple
| commands, executing scripts and seeing logs etc. this should
| work.
| umvi wrote:
| Cool project, but to me this feels like the "how to make a meal
| out of free condiments at restaurants" life hacks.
|
| In my opinion, just pay for the service. Satellite internet
| systems are not cheap to stand up or operate.
| quelltext wrote:
| This is basically a chat bot interface.
|
| Google used to have a way to ask for searches via SMS a while
| ago: https://www.youtube.com/watch?v=J937N9m-XtE
|
| But "tunneling" to me implies some transparent layer allowing you
| to browse Wikipedia via the same way of interaction.
| jamal-kumar wrote:
| I've tried this before, it's a fucking nightmare lol it's not
| full-duplex at all so this severely limits your ability to do
| things at a reasonable speed for most shit. For me it was because
| at the time Zuckerbutt was giving out 'free' internet in the
| third world, but only for whatsapp, instagram, and facebook, so
| me and my friends wanted to see if this was exploitable, but it
| was just way too slow. It really gave me an impression of how
| fast TCP runs at normally which I took for granted before, and
| ideally bidirectionally fast.
|
| For airport wifi I use a DNS tunnel or simple MAC rotation, for
| in-flight... well if they could make it quality someday maybe but
| every time I've shelled out like 50 bucks for an hour or whatever
| the ripoff deal is it doesn't work well enough to do anything. I
| hear the DNS tunnel method does work on some of them though, I
| should try that someday.
|
| As a side note those in-flight screens in the backs of seats are
| interesting in this 'why the hell would they do this' kind of
| way. I managed to crash one when I noticed it had a USB port (bad
| idea on their part)... It was super easy, I tried to read the USB
| key but then just removed it when it was accessing the thing and
| the whole thing just went down. Apparently it was running
| x-windows on some type of *nix because I could see that default
| background with an X for the cursor. They should really get rid
| of those because I'm sure that they could be misused for
| nefarious ends.
| lidder86 wrote:
| Vpn over websocket.. in Indonesia even worked when they "turn"
| off the internet for nyepi with a simple host file hack as you
| could browse the isp website was based on name not IP so yes
| the vpn was unencrypted but you couldn't see it was a vpn
| anaganisk wrote:
| What nefarious needs other than probably playing shrek2 on the
| inflight entertainment systems?
| jamal-kumar wrote:
| I think someone I read about on a link from here actually
| demonstrated a badusb attack
| c_o_n_v_e_x wrote:
| Cool project.. reminds me of all the phreaking websites I used to
| read as a teen.
| kgeist wrote:
| My first thought was to abuse the Web client. Run a server
| somewhere which hooks into JS in headless Chrome, parses commands
| and sends messages (requires a dummy user). The client could be
| based on the Web client, too. But I'm not sure if it's feasible
| and it's probably against the Terms of Use.
| Group_B wrote:
| These are my favorite kind of projects.
| xeromal wrote:
| This reminds me of back in the day when internet cost on mobile
| phones. An og "hacker" could text a website to some number he had
| set up and it would MMS him back a picture of the website. Worked
| in a pinch. This was in 2005-2008ish. I can't remember who did it
| though. So many years ago.
| Drblessing wrote:
| Had this exact same idea on my last flight! If Telegram is an
| approved messenger you could also create a pretty unrestricted
| bot there too. Very cool.
| xeromal wrote:
| On the planes I've flown with messaging enabled, I usually only
| see IMessage, whatsapp, and facebook messenger.
| Drblessing wrote:
| Shockingly Signal was working on my last flight - maybe
| telegram works but they don't advertise?
| nyuszika7h wrote:
| Maybe it has to do something with WhatsApp also using the
| Signal protocol, though you'd think generally they'd
| whitelist IPs or hostnames rather than doing DPI.
| Drblessing wrote:
| What's DPI? I have no idea how this whitelisting works
| but I'm curious!
| blacksmith_tb wrote:
| Deep Packet Inspection:
|
| https://www.fortinet.com/resources/cyberglossary/dpi-
| deep-pa...
| anthk wrote:
| Iodine+Mosh against a VPS/Unix Tilde=huge array of text based
| services.
|
| IM, Mail, Text web, ebook reading...
| rschachte wrote:
| One thing that would be interesting is scanning for open ports.
| Once you find an open port, make a Twilio API and text the number
| (Since most airlines enable texting via SMS/Whats APP) that
| triggers opening the port on your VPS that is opened on the
| airplane.
|
| Once you do that, you can tunnel into your VPS through the
| airlines open port or SSH into the machine. If you create a
| SOCKS5 proxy, then all traffic in your browser will tunnel
| through the VPS.
|
| Haven't tried this, but just a thought.
| cmeacham98 wrote:
| It doesn't work like this in the real world. There isn't some
| magic port that just lets you bypass the firewall.
|
| Certain ports sometimes have laxer filtering/restrictions, for
| example 53, 80, and 443 - but you already know these in
| advance.
|
| You aren't going to find out that port 18741 magically gets you
| an unrestricted internet connection.
| 2Gkashmiri wrote:
| Back in 2019 when Indian government put a city of 8 million
| into a 9 month curfew including internet blackout, I was
| anxious yo get online. Then they permitted only dozen of "white
| listed websites", just ones that did not allow anti India
| propaganda. Anyways, I found amazon India worked. I went to
| aws, set up a vps and simply used ssh tunnel to it.
|
| It worked, for a bit. They closed the default port and I could
| not spend time on a dedicated public internet terminals to "
| test" open ports so yeah, I have done exactly that.
|
| Used foxyproxy btw
| vgb2k18 wrote:
| >Used foxyproxy btw
|
| HAProxy is also really useful for this purpose, I dare say
| more-so. For my use-case it solved this problem: "Using 1
| port on the remote server (port 443), how can I serve HTTPS
| (serve a website) and SSH or SOCKS5 (use the server as a
| proxy)?". HAProxy was good for the task. It could be used to
| tunnel SSH through HTTPS too, in the case where a corp
| firewall is using DPI to block standard SSH. What I'm not
| sure of though... can it tunnel SSH through HTTPS, and, serve
| a website at the same time? That's a question for the reader.
|
| The idea of serving a website at the same time was for the
| purpose of providing a plausible reason for traffic exists
| from that server. Like, you know, if the admin's see traffic
| on 443 from an ip/domain with no website, that's got to be a
| magnitude of suspicion higher than an ip/domain with an
| actual website being served on it.
| toast0 wrote:
| Sure. If you run an https proxy that allows CONNECT, that
| can tunnel ssh, but if you do GET without a fully qualified
| url, that can serve whatever according to the host header.
| If you just wanted to tunnel ssh over tls, it's trickier
| because ssh is server speaks first and http is client
| speaks first, so as a server, you'd have to guess if your
| client wants one or the other.
| 5- wrote:
| nice! next up: encapsulate ip to provide full networking (with
| terrible latency)
|
| also just in case someone is wondering, a more ergonomic solution
| specifically for reading wikipedia on a plane is
| https://kiwix.org
| hamiltonians wrote:
| cool hack
| MauranKilom wrote:
| Wait, is this filtering based on IP or DNS? How do they make sure
| their whitelist remains up to date? (I assume it's HTTPS, so
| those are basically the only two options...)
|
| If it's DNS based, there should be simpler workarounds, so I
| guess it's just IP based?
| toast0 wrote:
| I worked on the technical side of WhatsApp's special pricing
| program (aka zero rating) from when it started, through
| integration with the Facebook Mobile Partner Portal until I
| left in late 2019. We provided partners IP addresses (well a
| list of cidr ip/subnet lengths) and email updates when IPs
| changed. Some partners wanted hostnames, but it wasn't usually
| effective to manage that way; hostnames seemed to work great
| for WAP based special pricing, but not for direct tcp. But
| AFAIK, airline programs were done by the airlines (or whoever
| does their internet service) without consultation with
| WhatsApp. (A special plan for messaging without multimedia
| wasn't within the WA policy, at least while I was there, so we
| wouldn't have helped them build the product they wanted anyway)
|
| There are lots of possible ways to identify WhatsApp traffic,
| but I never had a chance to figure out what they were really
| doing. During that time period, if I was on a flight, I was
| usually with my young child and it's hard to keep focus for
| debugging networking on a plane, anyway. What I saw when I was
| looking was more like what joshvm describes elsewhere. The
| messaging only plans seem to allow most low bandwidth
| connections, with high latency, but they'll actively supress
| some things, and others stall beyond some threshold; sometimes
| you could get a couple media files to transfer, but then it
| would stop, etc. WhatsApp was engineered to work with the
| world's terrible networks, so it will usually work ok for
| messaging as long as packets get through eventually; connection
| and ping timeouts are long on client and server, because
| sometimes it takes a lot of seconds. If DNS doesn't work,
| that's fine too. Multimedia would usually retry and resume
| enough to work even if connections didn't last long, so I'd
| guess there was something actively supressing that, but I don't
| really know.
|
| FWIW, chat isn't TLS, so SNI isn't the answer there, although
| at least in the past, the protocol was very identifyable. Been
| gone for a while and don't regularly tcpdump my connections to
| WA anymore, so I don't know if that changed though. Multimedia
| is https, and probably has SNI, although that used to vary by
| platform.
| mgarciaisaia wrote:
| I always thought WhatsApp published their list of IPs
| (segregated by standard chats vs media), but it seems they
| only share CIDR blocks with operators privately:
| https://www.whatsapp.com/cidr.txt
|
| And you say there's no segregation between chat and media -
| and I trust your out of date info more than my completely
| made up guesses.
| toast0 wrote:
| Yeah, that text file included messaging _and_ multimedia
| (and verification and the website, etc); there was another
| one that included those and VoIP relay servers (but VoIP
| also can do p2p, so it 's harder to include in special
| pricing), until it moved to the private portal. Customer
| service would sometimes provide the link to that text file,
| and operators we had an active agreement with would get an
| email when the file was updated (or sometimes when my
| scripts broke and did stupid things, sorry operators).
| (While I was there) We never provided a chat only file,
| because chat only is not a user experience we wanted to
| have happen.
| cortesoft wrote:
| It is pretty simple... your filter just makes periodic DNS
| requests to the desired allowed host and updates it's IP
| restrictions to the returned address. You also need to run the
| DNS resolver to return that same cached IP to prevent having
| the upstream DNS server return a different address.
|
| You also need to make sure the DNS server will only resolve the
| domains you want it to, because if you allow unfiltered dns
| requests to arbitrary domains, anyone can then tunnel their
| traffic over DNS, as another comment on this thread pointed
| out.
| stefan_ wrote:
| I don't understand, what's the domain of.. WhatsApp? Not to
| mention you are just as likely to hit some Round-Robin
| configuration.
| axiosgunnar wrote:
| This is a very good question.
|
| I would also assume that Whatsapp might change the servers
| used with updates of the app. How would Delta deal with
| that? Just wait for the complaints to come in?
| cranekam wrote:
| WhatsApp (now, since it moved into FB's infra) connects
| to g.whatsapp.net, which is a CNAME to
| chat.cdn.whatsapp.net, which in turn is an A record to a
| VIP on Facebook's edge network. The A record you're
| returned can change -- it's intended to be one that's
| closest to you (as determined by your DNS resolver's
| location and probably EDNS Client Subnet) but traffic
| engineering policies might cause different responses over
| time.
|
| Since on a flight it's likely everyone will use the same
| resolver on the ground somewhere in Delta's
| infrastructure a simple mechanism to resolve the IP
| periodically and update a whitelist (or to cache one VIP
| location and always return that) might work.
| Alternatively, as other commenters have suggested, it'd
| be better to identify traffic with SNI or other
| profiling.
|
| Updates to the app almost certainly won't change the
| address it connects to.
| toast0 wrote:
| > Updates to the app almost certainly won't change the
| address it connects to.
|
| Well, they have before. There's four generations of
| hostnames that were used before g. But g seems likely to
| work for quite a while.
| peeters wrote:
| These days with the prevalance of HTTPS, another option is to
| inspect the TLS client hello packet. To work well with load
| balancers etc, clients typically indicate the server name
| that they're trying to connect to (SNI -
| https://en.wikipedia.org/wiki/Server_Name_Indication). That
| information is not encrypted. So you have both the dst IP and
| hostname in the initial packet.
| Matthias247 wrote:
| Zero-rating at ISPs via SNI inspection is pretty common
| practice
| dapids wrote:
| It's also a preferred hardware inspection as its dead
| easy to rip the header than to seek mid-message to do
| message entropy/fingerprinting.
| Matthias247 wrote:
| It's indeed pretty simple for TLS over TCP, since the
| whole ClientHello is part of the first packet and
| relatively easy parse or seek for. With QUIC it becomes a
| major pain, since it's not obvious anymore for
| middleboxes which QUIC packet is the first in a
| connection, and since Crypto data can be fragmented and
| reordered (Chrome is doing that by purpose even inside
| single packets). Therefore hardware inspection would
| require a pretty full-featured QUIC protocol parser and
| understanding.
| toast0 wrote:
| It's easier to just block QUIC. (And UDP in general,
| might as well)
| dapids wrote:
| Interesting, thanks for the insight.
| InvaderFizz wrote:
| Makes me wonder if one could bypass the zero-rating
| scheme with a custom TLS tunnel that sends SNI headers
| for Facebook.com to your own server.
| Matthias247 wrote:
| You probably can. But it would require a custom app that
| doesn't use the same cname for DNS resolution, SNI and
| then inside follow-up requests in the Host header. A web-
| browser would e.g. just use the same values for all of
| those, and then you either get charged or would end up at
| facebook.com.
| Denatonium wrote:
| It could also be TLS-SNI/HTTP-HOST based.
|
| While this doesn't directly address Delta's captive portal
| implementation, on many TP-Link Omada wireless APs, there is a
| feature that allows you to create a captive portal, and when
| doing this, you can either whitelist a website by its hostname
| or by its IP address. I was curious as to how it was filtering
| by hostname, so I ran a few DNS queries, which all resolved
| normally, indicating that it wasn't a DNS-based whitelist.
| Seeing as the whitelisting also worked over HTTPS, I assumed it
| was TLS-SNI. It turns out that anyone can whitelist any IP
| address by visiting any website while sending the SNI of a
| whitelisted hostname. This caused the AP's software to create a
| firewall rule allowing access to the IP address associated with
| the spoofed SNI. After doing this, it was then possible to
| connect to any website hosted on that IP address with any SNI
| hostname.
| userbinator wrote:
| I wonder if anyone has stated a general law along the lines of
| "if you can send and receive a bit, you can send and receive
| anything."
|
| _The only issues ended up being that 1) WhatsApp messages are
| limited to 1600 characters_
|
| Concidentally, that's not much bigger than the MTU of standard
| Ethernet. I don't know how "transparent" the data channel is with
| respect to non-ASCII (and probably Unicode), but if you use one
| of the various binary-to-text encodings that exist, you could
| probably implement Ethernet over WhatsApp. ;-)
| aaron695 wrote:
| > "if you can send and receive a bit, you can send and receive
| anything."
|
| No, needs work.
|
| Part 1 - No system can be 100%, then you hit the Two Generals'
| Problem..
|
| Part 2 - Just because you can send a bit, that doesn't mean you
| can send 8 in a row. So you write a protocol, then they block
| that protocol, you adapt, they adapt etc etc
|
| Maybe something like ~ any system where you have _any_ control
| over information flow someone has written a protocol to send
| porn over it.
|
| That's just jumping of Rule 34, you could change porn to
| something else
| VWWHFSfQ wrote:
| I actually thought that's what this blog was going to be about.
| Some kind of http encapsulation over Whatsapp. Was disappointed
| that it's just regular a chat bot
| codeflo wrote:
| I once experimented with something like that a few years
| back, when I was regularly using a WiFi that only allowed
| HTTP. It's not hard to tunnel something like SOCKS over TLS
| over base64 over anything that allows sending text, including
| HTTP. Latency might be a lot worse than the special purpose
| chatbot though.
| AlexAndScripts wrote:
| I did the same for getting round those nasty deny-by-
| default deep packet inspection firewalls. HTTP's
| request/response nature made it difficult, but it can be
| gotten around in-spec by pretending you are streaming back
| a lot of data, split over multiple packets.
| cortesoft wrote:
| I don't think that is necessarily a law. There would be ways to
| actually restrict access in better ways... you would likely be
| right if you amended it to the ability to send a bit to an
| endpoint you control.
| iratewizard wrote:
| After writing code for locking down tablets used by prison
| inmates, I definitely agree that it's not much of a law.
| pennaMan wrote:
| I feel the urge to apply to that company and squeeze a
| backhanded backdoor on those tablets
| pokeymcsnatch wrote:
| Electrical/embedded guy here. My similar law is "if you can
| blink an led, you can do anything".
| Cerium wrote:
| My take has always been: If you can't blink an LED, you can't
| do anything.
|
| My first priority is to get an LED blinking, and keep it
| blinking. Every other feature is less important.
| goldenkey wrote:
| I blinked an LED in my cell but I'm still behind bars.
| Guess these dumb adages don't really hold a candle to
| reality.
| moron4hire wrote:
| If you can blink an LED, you have DC current and can
| electrochemically dissolve those bars.
| pbhjpbhj wrote:
| An LED on what? If you were McGuyver you'd have converted
| that into a laser, or used some sort of welding tool to
| melt through the bars!
| EMIRELADERO wrote:
| > I wonder if anyone has stated a general law along the lines
| of "if you can send and receive a bit, you can send and receive
| anything."
|
| In my country we have a telecom service provider law, which
| states, among other things:
|
| ARTICLE 57. - Network neutrality. Prohibitions. Service
| Providers shall not:
|
| a) Block, interfere, discriminate, hinder, degrade or restrict
| the use, sending, reception, offering or access to any content,
| application, service or protocol except by court order or
| explicit request of the user.
| lolinder wrote:
| I think OP meant "law" as in "law of gravity" not as in
| legality.
| kirel33 wrote:
| You can simply split packets into multiple messages and tag
| them with a unique code and use base64 (or something more
| efficient), that's how you can do things like do IP over IRC
| which has even more restricted character counts.
|
| The problem is always going to be bandwidth as doing any kind
| of communication across systems optimized for human text will
| throttle you: you'll trigger spam warnings, rate limits, etc -
| and the modern web is extremely demanding
| Egrodo wrote:
| I think about creating this project every time I'm on a Delta
| flight, great to see someone actually did it.
| Nextgrid wrote:
| Almost a decade ago a French mobile carrier had their entire
| domain and subdomains zero-rated - one of the subdomains had a
| phpBB forum - someone created a little script to tunnel full
| layer 3 communication over the forum's private messaging
| functionality. I'd imagine it would slaughter the DB if you tried
| to pass any significant traffic though it but as a demonstration
| it was cool and worked fine.
| aledalgrande wrote:
| On a recent flight I bought a "streaming" package, was either the
| most expensive or second most. Could barely navigate to web
| pages.
| turdnagel wrote:
| For some reason I just eat these kinds of projects up. As a kid I
| went on a cruise with my parents with very limited internet
| access and discovered HTTP-over-DNS (using TXT records), which
| remains my favorite captive portal workaround.
| 7402 wrote:
| Sure, it's always interesting to investigate vulnerabilities and
| design deficiencies, and it can be beneficial especially when the
| goal is improving security for everyone.
|
| But it's hard for me to celebrate someone whose motivation seems
| to be that they are simply too cheap to pay for something that
| other, more honest, people are willing to pay for. In this case,
| it probably doesn't affect anyone else if the author only
| downloads a few articles, but in general, if internet bandwidth
| on an airplane is a limited resource, then using large amounts up
| in this way to the detriment of others would just be stealing.
| redox99 wrote:
| Most people wouldn't mind some kind of throttling, as long as
| it is net neutral. The problem here is the lack of net
| neutrality.
| mmh0000 wrote:
| Many years ago (2012) Delta inflight wifi would allow DNS queries
| out without paying. Being a very frequent flyer I used to run an
| ip-over-dns tunnel using Iodine[1]. It was slow but worked. I
| wonder if they've blocked that hole yet.
|
| [1] https://code.kryo.se/iodine/
| Macuyiko wrote:
| I also used this a lot while travelling to access the internet
| through captive wifi portals. Especially in asia this worked
| very well, given the huge amount of telco wifi providers in
| cities.
| iforgotpassword wrote:
| I did the same on trains in the 00s, but built application
| specific tunnels which were much faster, funnily enough among
| them was one that would fetch Wikipedia pages. The client would
| piece together the replies and render the markup to html again.
| zamadatix wrote:
| When selecting my personal use domain I ended spent some time
| finding a short domain partly because it's convenient but
| partly because it meant more goodput via Iodine. I ended up on
| "ds.gy" as ds are my initials and it was the only TLD that
| domain wasn't sat on by squatters wanting to charge
| thousands.The ratio of people wanting to sell you short domains
| vs actually using them in any capacity was surprising.
| ale42 wrote:
| I tried Iodine around 3 years ago on a Swiss flight, it worked
| to read my mails over SSH using Alpine, but was so slow that
| basically it was unusable. Not sure what was going on, I had
| the impression that DNS queries were getting throttled after
| some threshold...
| anthk wrote:
| Check Mosh, Mosh works on ISDN level speeds.
| siraben wrote:
| I can confirm that this still works on several US airlines
| especially if they have a free messaging option.
| [deleted]
| kache_ wrote:
| lol holy shit I'm never going to have an unproductive flight
| again
| joshvm wrote:
| My experience with in-flight message-only WiFi is that they're
| just really slow and the ping times are long. Some services are
| actively blocked, e.g. Skype wouldn't work at all even for text
| messages, but browsing the internet is usually allowed. My VPN
| wouldn't work, but I suspect it might have if I used an
| obfuscated connection instead of OpenVPN or whatever the default
| is (e.g. over SSL). I could load GMail in the browser and
| Wikipedia probably would have worked. It's strongly website
| dependent. Hacker News is extraordinarily resilient to lousy
| connections and generally the index would always load without any
| trouble. It works even on a 3 second ping over satellite
| internet. Very few websites are that tolerant.
|
| The flight crew (BA) knew what's up. They specifically warned us
| to check which package we were getting, because evidently they
| get a lot of complaints when people buy the message-only bundle
| and are surprised that nothing works.
|
| Singapore gave out free passes for single devices last time I
| flew with them. It was possible to rotate MAC addresses by
| forgetting the connection and then re-joining. The connection was
| quite good, you could watch YouTube in potato resolution. It's
| quite fun to chat to people and send them photos out of the
| window.
| johnwalkr wrote:
| > Hacker News is extraordinarily resilient to lousy connections
|
| It really is. Where I live when you run into the limit of your
| data package, your network is usually throttled to 100kbps. I
| changed my plan to just 3GB per month because I was staying at
| home most of the time due to the pandemic. Now I'm pretty much
| back to my old routines, but I didn't change my plan yet. I
| have a 45 minute train commute and 3GB can be used up in a few
| days just browsing reddit and loading news sites.
|
| Anyway, google search, hacker news and facetime audio work as
| normal at 100kbps. Google maps works with a bit of patience.
| Virtually nothing else will load. 5 years ago most text-based
| things worked at this speed albeit slowly. Now everything is so
| bloated and so much content will not load show until fonts and
| things are loaded.
| jjeaff wrote:
| I carry one of those tiny wireless routers in my carry on
| wherever I go. If I have to buy internet on the plane or if I
| am in a hotel that limits the number of devices, I always
| connect through the router and use it as an access point for
| all the other devices.
|
| The other added benefit is that all my other devices already
| have my AP's wifi creds and will connect to it automatically.
| nullify88 wrote:
| What do you do when wifi has a captive portal though
| requiring a user name and password?
|
| I use my Samsung S10 for exactly this as it has multiple
| radios that allows connecting to wifi and hotspotting to
| share that connection with other devices. Great for
| Chromecasting.
| SargeDebian wrote:
| The first device to connect has to go through the captive
| portal, then the rest doesn't.
|
| Also works well if your 2nd device doesn't support captive
| portals (Chromecast, Tesla car).
| 867-5309 wrote:
| you would need a router which supports WISP Repeater mode.
| some GL.inet products support this
| richiezc wrote:
| I used just clone the MAC address across my iPhone and
| laptop and switch between them, so I guess you could use
| your phone to get through the captive portal and then
| connect with a travel router that clones the phones MAC
| address.
| darig wrote:
| 3np wrote:
| Which one do you use?
| mmmmmbop wrote:
| Not GP, but I've been using the GL.iNet Beryl (GL-MT1300)
| and I'm really happy with it.
| t-0 wrote:
| I've been thinking about doing somethign similar and am
| really interested in what hardware you're using for this and
| what your setup looks like. Do you run a VPN service directly
| on your router, for example?
| sva_ wrote:
| I was recently on a United flight and the free 1h "text only"
| option gave me access to the whole internet, and I could
| reactivate it after an hour. I think maybe they unlocked it
| because the flight had a delay - or it was a bug. The flight
| crew didn't inform us about it though. I also didn't notice any
| other people using it.
|
| The connection was pretty damn good, considering I was
| somewhere over the Atlantic. It was shocking to me how much
| more enjoyable the flight was, makes me wonder how hooked I am
| to being connected. (I also had extra legroom and an empty seat
| next to me though.)
| userbinator wrote:
| It sounds like what you're getting on a plane is actually
| satellite internet.
| dreamcompiler wrote:
| Satellite is always what you get on planes if you fly over an
| ocean. If you're flying over land, sometimes it's satellite
| and sometimes it comes from ground-based cells. Depends on
| the airline and the plane's equipment.
| joshvm wrote:
| Yes, it is. One of the biggest providers is called GoGo who
| in turn use satellites from SES. My comment about satellite
| was that I've also worked in very remote places using much
| poorer links and HN _still works_ , amazingly.
| punnerud wrote:
| "WhatsApp messages are limited to 1600 characters" If that is
| UTF32 we have 51200 bytes or 50kB per message.
|
| "the basic free accounts I was using rate-limit to ~1QPS" That is
| 400kbit/s. Can we have multiple accounts? 40 accounts would give
| us a theoretical maximum speed of 16Mbit/. Would probably closer
| to 10Mbit/s in real life, enough to watch movies.
|
| Example library for sending/receiving WhatsApp text:
| https://github.com/open-wa/wa-automate-python
| jonathantf2 wrote:
| The last time I was on an flight that had WiFi (AA about 5 years
| ago) I tried 2 ways to get around the captive portal, both
| successful:
|
| 1. Setting my useragent to iOS Safari and trying to download the
| Gogo Player app to watch one of the free films. If you have
| Android this just serves the APK but on iOS it just has to dump
| you to the App Store. This seemed to give me a good half hour of
| connectivity.
|
| 2. I went on the live chat and asked for a free connection. The
| agent gave it to me.
| Shadonototra wrote:
| here an idea:
|
| take a screenshot of the website and send it back as a compressed
| base64 text or what ever will produce smallest result
|
| then decode that image from the text on your phone
| kilroy123 wrote:
| Yeah this seems much better. Very doable over WhatsApp.
___________________________________________________________________
(page generated 2022-05-22 23:02 UTC)