> We first show how travel eSIMs often route user data through third-party networks [---] Second, we analyze the implications of opaque provisioning workflows, documenting how resellers can access sensitive user data [---]. Third, we validate operational risks such as deletion failures and profile lock-in using a private LTE testbed.
So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered. Table 1 is worth a read. The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS. If you're on DoH (DNS over HTTPS), you're even using it for host lookups.
> The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS.
That should matter a lot to the common person, TLS or not doesn't matter, what matters is who talks to who, and who talks when. That information alone can give you many useful insights.
It’s a bold assumption that only China is tracking this info though. Mobile operators are some of the worst at selling ‘anonymised’ data on their users
Is it not worth it to keep private data flowing through companies which we could hold to account and, perhaps later on, restrict from such practices, than flowing through a jurisdiction over which we have no control and which does not much care about our opinion?
Is it possible? The EU is finding now that it is hard to keep data from the USA, which as a jurisdiction falls as much into that category as China does.
I would argue it is not possible to ever consider the internet 'safe' because you happen to flow through country x, and not country y. Instead, we must keep working on the protocols that we use to try to reduce exposure as much as possible.
Depends. Obviously Tanzania can't do it. Neither could the EU, the tech sector's not big enough. But the US could. And you can always keep it to "geopolitical allies", or at least away from "geopolitical enemies".
> I would argue it is not possible to ever consider the internet 'safe' because you happen to flow through country x, and not country y. Instead, we must keep working on the protocols that we use to try to reduce exposure as much as possible.
Firstly, there are only three ways that I know of to keep metadata (not content, which can simply be encrypted) away from the people that route your packets.
1) Onion routing (Tor). This cannot be used for general purpose multimedia usage because of slow speeds (any slow middle node can make it slow, and the higher you speed you require your nodes to bee, the fewer nodes you have, lowering the security of your network)
2) VPNs. This obviously pushes the problem of trust back to the VPN company. Which is fine, it only needs to be more trustworthy than the ISP. But jurisdiction is a very important topic here, which only makes my point more so.
3) Put everything on one of a few global CDNs. That way, all network traffic is just encrypted requests to Google, Cloudflare, Amazon and Azure servers. This obviously has the problem that the CDN company now know what you're doing.
Unfortunately, the EU doesn't seem interested in private protocols.
https://www.europarl.europa.eu/doceo/document/E-10-2025-0032...
> Neither could the EU, the tech sector's not big enough.
Sorry? You're aware of the fact that the EU tech sector has several parties that could do this by themselves if they felt the need to do so?
> It’s a bold assumption that only China is tracking this info though
It's not an assumption? Nowhere in the above thread is that an assumption made, neither do any of the relevant points rest on such an assumption.
Like saying 'It should not matter too much to the common person if most of their shit makes it into the toilet.'
It might not matter hugely to most people, that's true, but as someone who's used eSIMs while abroad in both Australia and Canada earlier this year (from Airalo and Nomad - they seemed at the time to be fairly well regarded), I was surprised to see my traffic routed through Hong Kong in both cases.
Google and Duck Duck Go both on the phone assumed I was in Hong Kong when searching, even though I was in Sydney and Vancouver respectively, which did make searching for local places a tiny bit more frustrating.
When the selected here its are using the worst lowest bar providers that are reseller of lowest cost network with the absolute lowest quality, In this case roaming probably Three HK and Plus Poland are the "norm"
These are some of the most "slop" provider, which is mostly ads and affiliate links unfortunately. It's same reputation as nordvpn whereas the best you could say is it's well known
What matters very much in practice is the latency. It's fine if you just need a little bit of connectivity to occasionally send a message or be able to find something on Google Maps, but just browsing the web can be painfully slow with some of the providers.
1/ ISP or the website Youre accessing can see the DNS queries and block traffic. My eSIM routes through Hong Kong, which means no ChatGPT.
2/ iPhones don't get you set the DNS provider / DoH for cellular
3/ DoH breaks wifi redirect walls, making it tedious to enable/disable. Like you cant just enable DoH for certain apps or disable it for others.
2) I believe you can using profiles like those available here[0].
[0]: https://github.com/paulmillr/encrypted-dns
> 3/ DoH breaks wifi redirect walls, making it tedious to enable/disable
Since this is a security focused discussion, why do you see wifi hijacking your dns lookups as something desirable?
Because there are a lot of situations, like being in a hotel, where you simply can't do anything to avoid it and have live with it / work around it.
And while we all would like to live in that perfect ivory tower of CIA-level security, we mostly live in the real world and have to make do with what we have.
wifi hijacking is here to stay.
The solution is to detect it happening, and then switch to a different 'mode' where you ignore all https certs but never send any private data and never trust any data received.
You have use a client side app firewall to prevent all traffic until you have acquired your session.
This is extremely difficult to do even for skilled people.
Android has the ability to isolate the network stacks for different apps/connections till you have cleared the wifi portal.
Often the wifi will not let you "out" until you've been through their landing page, and there's no other mechanism to do this other than hijacking DNS?
> DoH breaks wifi redirect walls
Is that really true? I would have thought all the automatic detection features try with unencrypted DNS? They should anyway.
Ideally it’d actually be RFC 8910 detection (and subsequently RFC 8908 API) but standards usage is generally incompatible with giving POs something to do
Just get a VPN and then you can route your traffic wherever you want and not have to worry about what the carrier is doing.
vpn appears to only work sporadically in china.
All VPNs work without problems with China if you roaming into their network with a foreign (e)SIM.
You will get unfiltered western internet as a tourist.
Which cost me a fortune once when I plugged my phone into laptop to charge (before free global roaming). Dropbox had been blocked for a week, suddenly a flurry of sms arrived (out of order). I’d spent £250 in 3 minutes.
I feel for you. Why would you allow laptop traffic to be routed through the phone though? At least in iOS plugging the phone for charging or backup does not automatically tether.
I often tether off my phone so has tethering enabled, just hasn’t charged from the laptop in all that time
Wasn’t a lot in the end scheme of things - less that the cost of a night in the hotel, let alone the full trip
> Dropbox had been blocked for a week
Why was it blocked for a week? Not sure I understand what happened to you.
China blocked it.
[dead]
iCloud Private Relay fixes all three i think :)
[dead]
I’m a little confused, are you physically located in China or is your data getting routed through China despite you live somewhere else? I can’t figure out what’s being said here.
> So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered.
When the bar of entry is lowered, than that makes it easier for providers who offer privacy to enter the market. So that people who care about this sort of thing can choose them.
What if TLS won't be relevant in a few years to a decade? Bad actors can hoard encrypted traffic and have the data decrypted when the time comes?
Nothing. If you want perfect secrecy, you gotta use one-time pads with a one-time MAC, which is not really practical. Think having to buy disposable SD cards with 1 TB of randomness on them from your ISP, making your data cap very literal.
Even then, you'd be relying on the randomness source being good, which is not trivial. What if the ISP colludes, how would you ever know?
The most secure way to communicate is to not communicate at all, as always. Or to be more specific, to at least not involve an intermediary if you can choose so. Short of that, all that remains is the unproven hardness assumptions.
I'm actually surprised that steganography isn't talked about more yet. Tor and Monero are conrete examples of systems that work as long as they have enough traffic. But being able to overlay Tor on normal traffic would be really annoying for those trying to listen.
TLS exposes hostnames in plaintext via SNI. If using TLS version below 1.3 hostnames contained in the server certificate are in plaintext, too. ECH still "experimental", not in widespread use, no delivery deadline.
In theory encryption is something that protects the "common person", but SillyCon Valley's version of encryption, "TLS", is, unfortunately, mostly used for data exfiltration by third party intermediaries, so-called "tech" companies, i.e., opportunistic "business people".
Rather than protecting the "common person", the _primary_ use of "TLS" is to faciltate violation of the "common person's" privacy for profit, and to protect the third party intermediary's privacy intrusions from detection by the "common person", by making it difficult for the "common person" to monitor the outgoing traffic from their computers.
The privacy risk created by this third-party controlled encryption ("TLS") is why corporations must perform "TLS inspection". They have to decrypt TLS connections and then re-encrypt them in order to monitor the outgoing traffic from their networks. But the opportunistic "business people" in SillyCon Valley know the "common person" will not do TLS inspection.
But that's not all. Further third parties, more opportunistic "business people" called "certificate authorities" play a disproportionate role in brokering TLS connections, deciding on behalf of the "common person" who is trustworthy and who is not. This largely relies on "ICANN DNS", another laughable SillyCon Valley implementation, and is thus severely flawed, but that is another topic.
SillyCon Valley's so-called "tech" companies utilise this third party "CA system" to make it difficult for the "common person" to exercise control over deciding who they want to trust or distrust, e.g., by frustrating the use of so-called "self-signed certificates" by the "common person". Meanshile, the SillyCon Valley companies ensure that _by default_ the SillyCon Valley companies' certificates are trusted. In some cases, the certificates (or their digital fingerprints) are hardcoded into software used by the "common person".
Despite what the average "tech" worker would like the "common person" to believe, "TLS" is not synonymous with "encryption". Nor is criticism of TLS necessarily criticism of encryption. TLS is only a lame, user-hostile implementation of encryption that the "common person" must suffer while so-called "tech" companies use it to protect their surreptitious data collection from the "common person".