Geplaatst op door Valentijn Sessink

Upside-down-ter-net v2.0

Here at Open Office, we’ve always wanted to implement upside-down-ternet. And now it’s 2016 and with CSS, you can make your wifi-stealing-neighbour’s web browser do all the hard work. This means that a simple OpenWRT router will have enough power to flip the internet – all of it, except for the ssl-protected areas.

If you’re hanging around long enough, you probably remember “Upside-Down-Ternet”, a very clever way to (sort of) protect your wireless internet against your neighbours – if they’re not from Australia, that is.

Back in the day, you had to download all the images on a page, rotate them 180 degrees (with imagemagick or another scripted image editor) and then serve them to the client (the web browser) again. To be able to do that, you needed storage space and processing power, which pretty much ruled out using OpenWRT. But now it’s 2016, and turning images upside down would, obviously, be a better job for your neighbour’s web browser’s CSS handling routines. For this, a simple search-and-replace in the HTML code is sufficient.

Here’s what you’ll need:

  • a Linux-system that is able to run “privoxy“. OpenWRT is just fine for that. Feel free to use heavier machinery, but a simple sub-€100 router is just what you need.
  • Command line access to this machine.
  • Eh, that’s it. Pretty much. Yeah, some knowledge of Linux config file editing will help you.

Also, please note, again, that it’s 2016 and in the 10 years since the original Upside-Down-ternet, a lot has changed in web site security. If a web page is SSL-based, like many of the larger sites nowadays, you won’t be able to spoof it’s content. Most notably, Google is SSL-only, which means you can’t flip Google search results. Sorry. Think you can? Read BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf and think again.

There’s an upside to 2016 as well, which is Unicode. You can semi-flip anything you want by using Unicode “homographs”. And yes, since SSID’s can be Unicode, your new wifi-network can have an upside down name.

So let’s start flipping the Internet. In the text below, we’ll use “openwrt.example.com” as your OpenWRT url. First, we’ll install Privoxy. After that, we’ll add a wifi-subnet to proxy through it. Finally, we’ll configure Privoxy. We do it this way to make sure installing Privoxy works – otherwise this blog could make for a whole lot of useless configuration editing.

  1. Go to openwrt.example.com/cgi-bin/luci/admin/system/packages and install privoxy. Better not install luci-app-privoxy or its’ cousins, I won’t use it.
  2. Go to openwrt.example.com with SSH and see if you can login and look around. Is /etc/privoxy/ there? Is /etc/config/privoxy there?

Did that work? Good. Let’s configure the network:

  1. Add a new wireless SSID. Go to openwrt.example.com/cgi-bin/luci/admin/network/wireless, click “Add”. Now a very funny thing is, that ESSID’s can be Unicode these days. This means, that you can name your new Wifi-station “ʇǝuɹǝʇuʍopǝpısdn”, “ɯosɹǝpuɐ”, “ɟdoʞ uǝp ɟnɐ”, “uǝʌoqǝʇsɹǝpuo” or whatever you can think of.
  2. On this same page, there is a list of networks, right under “Interface Configuration”. Choose “create” here and name your new network. Let’s call it “upsidedown”.
  3. Set any wireless options you would like to set, then click “save” or “save and apply”.
  4. Go to openwrt.example.com/cgi-bin/luci/admin/network/network/upsidedown. Change “unmanaged” to “static address” and add an IP-address. For example, use 10.171.205.7 with 255.255.255.0 as netmask. Click “save” – do this before clicking the DHCP stuff or your changes will be lost. So do click “save”, then click “setup DHCP server”. Click “save” again – the defaults are fine.
  5. Now go to the tab “firewall settings” and click “unspecified or create”. Name the new zone “upsidedown”. Click “save”.
  6. Go to openwrt.example.com/cgi-bin/luci/admin/network/firewall/forwards/ to create a new port forward. Any TCP-traffic heading for port 80 will be redirected to Privoxy, so add a rule named upsidedown-privoxy, protocol TCP, external zone upsidedown, external port 80, internal zone upsidedown, internal IP address 10.171.205.7 (the one we used in step 4), internal port 8118 (the default for Privoxy). Click Add.
  7. Go to openwrt.example.com/cgi-bin/luci/admin/network/firewall/rules/ and add a forward rule to enable traffic to https-sites. Yes, that’s the downside of upside-down: in order for the user to experience some sort of internet, you will probably need to enable some sort of https access. Alternatively, you could try to redirect search traffic intended for Google (which is https-only) to bing.com (which is http), but that is left as an excercise to the reader. So add a forward rule with the name of upsidedown-ssl, source zone upsidedown, destination zone wan (or whatever you call your internet), click add and edit.
  8. Change protocol to TCP, enter 443 for destination port and click save. There should be a rule now that says “Any TCP From any host in upsidedown To any host, port 443 in wan” which has accept forward for action.

All right, we’re done here. Click “save and apply” somewhere. Now the only thing we need to configure is Privoxy.

  1. Log into your router and go to /etc/config/ to edit privoxy. Add – actually replace – the following lines. Replacing means, that any other occurence of filterfile, actionsfile, listen_address etcetera should be commented out or deleted: 
    list filterfile 'upsidedown.filter'
list actionsfile 'upsidedown.action'
list listen_address '10.171.205.7:8118'
option accept_intercepted_requests '1'
list permit_access '10.171.205.0/24'
  2. Go to /etc/privoxy/ and add a file named upsidedown.filter. In it: 
    FILTER: upsidedown Replace <head....> with <head...><style>...</style>
s|(<head[^>]*>)|$1<style>body{transform: rotate(180deg);}</style>|i
  3. Add another file to /etc/privoxy/, this time upsidedown.action: 
    { +filter{upsidedown} }
/
  4. Start privoxy by typing 
    /etc/init.d/privoxy enable; /etc/init.d/privoxy restart

That should be all! Now connect to your new wifi-network and see if it works. Reload this site and check, is it upside down?

Oops. It isn’t. Please check.

Cool! It works! Now for some final notes.

  1. As said before, https-sites won’t turn upside down and you won’t be able to fix that easily. We’re doing MITM here and that’s simply getting too hard for the average user or sysadmin.
  2. A second remark is regarding the CSS I’m using. I am by no means a web programmer of any kind. This means that my replacement filter probably isn’t good enough. Drop me a line if you know better and I’ll see what I can do. Yes, I’ve read about all the -moz-translate, -webkit-translate and the like, I thought just using translate would be enough so that’s what I’m using.
  3. I only accept port 80 and port 443 and that is on purpose. So this network will not let you use any other protocols, it will just serve 443 and 80. Should you want to provide some sort of Free Public Wifi, then enable everything from zone upsidedown to zone wan and leave out the special rule for https.
  4. Please like the Facebook page.