| ▲ | flowerthoughts 12 hours ago |
| > We first show how travel eSIMs often route user data through third-party
networks [---] Second, we analyze the implications of opaque provisioning
workflows, documenting how resellers can access sensitive user data [---]. Third, we validate operational risks such as deletion failures and profile lock-in using a private LTE testbed. So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered. Table 1 is worth a read. The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS. If you're on DoH (DNS over HTTPS), you're even using it for host lookups. |
|
| ▲ | jacquesm 6 hours ago | parent | next [-] |
| > The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS. That should matter a lot to the common person, TLS or not doesn't matter, what matters is who talks to who, and who talks when. That information alone can give you many useful insights. |
| |
| ▲ | jdsnape 6 hours ago | parent | next [-] | | It’s a bold assumption that only China is tracking this info though. Mobile operators are some of the worst at selling ‘anonymised’ data on their users | | |
| ▲ | serbuvlad 4 hours ago | parent [-] | | Is it not worth it to keep private data flowing through companies which we could hold to account and, perhaps later on, restrict from such practices, than flowing through a jurisdiction over which we have no control and which does not much care about our opinion? |
| |
| ▲ | 1970-01-01 4 hours ago | parent | prev [-] | | Like saying 'It should not matter too much to the common person if most of their shit makes it into the toilet.' |
|
|
| ▲ | pixelesque 10 hours ago | parent | prev | next [-] |
| It might not matter hugely to most people, that's true, but as someone who's used eSIMs while abroad in both Australia and Canada earlier this year (from Airalo and Nomad - they seemed at the time to be fairly well regarded), I was surprised to see my traffic routed through Hong Kong in both cases. Google and Duck Duck Go both on the phone assumed I was in Hong Kong when searching, even though I was in Sydney and Vancouver respectively, which did make searching for local places a tiny bit more frustrating. |
| |
| ▲ | galaxy_gas an hour ago | parent [-] | | When the selected here its are using the worst lowest bar providers that are reseller of lowest cost network with the absolute lowest quality, In this case roaming probably Three HK and Plus Poland are the "norm" These are some of the most "slop" provider, which is mostly ads and affiliate links unfortunately. It's same reputation as nordvpn whereas the best you could say is it's well known |
|
|
| ▲ | tgsovlerkhgsel 8 hours ago | parent | prev | next [-] |
| What matters very much in practice is the latency. It's fine if you just need a little bit of connectivity to occasionally send a message or be able to find something on Google Maps, but just browsing the web can be painfully slow with some of the providers. |
|
| ▲ | itake 11 hours ago | parent | prev | next [-] |
| 1/ ISP or the website Youre accessing can see the DNS queries and block traffic. My eSIM routes through Hong Kong, which means no ChatGPT. 2/ iPhones don't get you set the DNS provider / DoH for cellular 3/ DoH breaks wifi redirect walls, making it tedious to enable/disable. Like you cant just enable DoH for certain apps or disable it for others. |
| |
| ▲ | bdhcuidbebe 10 hours ago | parent | next [-] | | > 3/ DoH breaks wifi redirect walls, making it tedious to enable/disable Since this is a security focused discussion, why do you see wifi hijacking your dns lookups as something desirable? | | |
| ▲ | 6 hours ago | parent | next [-] | | [deleted] | |
| ▲ | avhception 9 hours ago | parent | prev | next [-] | | Because there are a lot of situations, like being in a hotel, where you simply can't do anything to avoid it and have live with it / work around it. And while we all would like to live in that perfect ivory tower of CIA-level security, we mostly live in the real world and have to make do with what we have. | |
| ▲ | londons_explore 8 hours ago | parent | prev | next [-] | | wifi hijacking is here to stay. The solution is to detect it happening, and then switch to a different 'mode' where you ignore all https certs but never send any private data and never trust any data received. | | |
| ▲ | nerpderp82 6 hours ago | parent [-] | | You have use a client side app firewall to prevent all traffic until you have acquired your session. This is extremely difficult to do even for skilled people. | | |
| ▲ | londons_explore 5 hours ago | parent [-] | | Android has the ability to isolate the network stacks for different apps/connections till you have cleared the wifi portal. |
|
| |
| ▲ | pjc50 9 hours ago | parent | prev [-] | | Often the wifi will not let you "out" until you've been through their landing page, and there's no other mechanism to do this other than hijacking DNS? |
| |
| ▲ | cube2222 10 hours ago | parent | prev | next [-] | | 2) I believe you can using profiles like those available here[0]. [0]: https://github.com/paulmillr/encrypted-dns | |
| ▲ | IshKebab 11 hours ago | parent | prev | next [-] | | > DoH breaks wifi redirect walls Is that really true? I would have thought all the automatic detection features try with unencrypted DNS? They should anyway. | | |
| ▲ | astafrig 10 hours ago | parent [-] | | Ideally it’d actually be RFC 8910 detection (and subsequently RFC 8908 API) but standards usage is generally incompatible with giving POs something to do |
| |
| ▲ | Gigachad 11 hours ago | parent | prev | next [-] | | Just get a VPN and then you can route your traffic wherever you want and not have to worry about what the carrier is doing. | | |
| ▲ | coderatlarge 10 hours ago | parent [-] | | vpn appears to only work sporadically in china. | | |
| ▲ | lazycatjumping 10 hours ago | parent | next [-] | | All VPNs work without problems with China if you roaming into their network with a foreign (e)SIM. You will get unfiltered western internet as a tourist. | | |
| ▲ | hdgvhicv 9 hours ago | parent [-] | | Which cost me a fortune once when I plugged my phone into laptop to charge (before free global roaming). Dropbox had been blocked for a week, suddenly a flurry of sms arrived (out of order). I’d spent £250 in 3 minutes. | | |
| ▲ | mynegation 5 hours ago | parent | next [-] | | I feel for you. Why would you allow laptop traffic to be routed through the phone though? At least in iOS plugging the phone for charging or backup does not automatically tether. | | |
| ▲ | hdgvhicv 3 hours ago | parent [-] | | I often tether off my phone so has tethering enabled, just hasn’t charged from the laptop in all that time Wasn’t a lot in the end scheme of things - less that the cost of a night in the hotel, let alone the full trip |
| |
| ▲ | zx8080 8 hours ago | parent | prev [-] | | > Dropbox had been blocked for a week Why was it blocked for a week? Not sure I understand what happened to you. | | |
|
| |
| ▲ | snm99 10 hours ago | parent | prev [-] | | [dead] |
|
| |
| ▲ | jb1991 10 hours ago | parent | prev | next [-] | | I’m a little confused, are you physically located in China or is your data getting routed through China despite you live somewhere else? I can’t figure out what’s being said here. | |
| ▲ | lazycatjumping 11 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | yard2010 9 hours ago | parent | prev | next [-] |
| What if TLS won't be relevant in a few years to a decade? Bad actors can hoard encrypted traffic and have the data decrypted when the time comes? |
| |
| ▲ | perching_aix 8 hours ago | parent [-] | | Nothing. If you want perfect secrecy, you gotta use one-time pads with a one-time MAC, which is not really practical. Think having to buy disposable SD cards with 1 TB of randomness on them from your ISP, making your data cap very literal. Even then, you'd be relying on the randomness source being good, which is not trivial. What if the ISP colludes, how would you ever know? The most secure way to communicate is to not communicate at all, as always. Or to be more specific, to at least not involve an intermediary if you can choose so. Short of that, all that remains is the unproven hardness assumptions. | | |
| ▲ | flowerthoughts 6 hours ago | parent [-] | | I'm actually surprised that steganography isn't talked about more yet. Tor and Monero are conrete examples of systems that work as long as they have enough traffic. But being able to overlay Tor on normal traffic would be really annoying for those trying to listen. |
|
|
|
| ▲ | 1vuio0pswjnm7 2 hours ago | parent | prev [-] |
| TLS exposes hostnames in plaintext via SNI. If using TLS version below 1.3 hostnames contained in the server certificate are in plaintext, too. ECH still "experimental", not in widespread use, no delivery deadline. In theory encryption is something that protects the "common person", but SillyCon Valley's version of encryption, "TLS", is, unfortunately, mostly used for data exfiltration by third party intermediaries, so-called "tech" companies, i.e., opportunistic "business people". Rather than protecting the "common person", the _primary_ use of "TLS"
is to faciltate violation of the "common person's" privacy for profit, and to protect the third party intermediary's privacy intrusions from detection by the "common person", by making it difficult for the "common person" to monitor the outgoing traffic from their computers. The privacy risk created by this third-party controlled encryption ("TLS") is why corporations must perform "TLS inspection". They have to decrypt TLS connections and then re-encrypt them in order to monitor the outgoing traffic from their networks. But the opportunistic "business people" in SillyCon Valley know the "common person" will not do TLS inspection. But that's not all. Further third parties, more opportunistic "business people" called "certificate authorities" play a disproportionate role in brokering TLS connections, deciding on behalf of the "common person" who is trustworthy and who is not. This largely relies on "ICANN DNS", another laughable SillyCon Valley implementation, and is thus severely flawed, but that is another topic. SillyCon Valley's so-called "tech" companies utilise this third party "CA system" to make it difficult for the "common person" to exercise control over deciding who they want to trust or distrust, e.g., by frustrating the use of so-called "self-signed certificates" by the "common person". Meanshile, the SillyCon Valley companies ensure that _by default_ the SillyCon Valley companies' certificates are trusted. In some cases, the certificates (or their digital fingerprints) are hardcoded into software used by the "common person". Despite what the average "tech" worker would like the "common person" to believe, "TLS" is not synonymous with "encryption". Nor is criticism of TLS necessarily criticism of encryption. TLS is only a lame, user-hostile implementation of encryption that the "common person" must suffer while so-called "tech" companies use it to protect their surreptitious data collection from the "common person". |
