So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered. Table 1 is worth a read. The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS. If you're on DoH (DNS over HTTPS), you're even using it for host lookups.
That should matter a lot to the common person, TLS or not doesn't matter, what matters is who talks to who, and who talks when. That information alone can give you many useful insights.
I would argue it is not possible to ever consider the internet 'safe' because you happen to flow through country x, and not country y. Instead, we must keep working on the protocols that we use to try to reduce exposure as much as possible.
> I would argue it is not possible to ever consider the internet 'safe' because you happen to flow through country x, and not country y. Instead, we must keep working on the protocols that we use to try to reduce exposure as much as possible.
Firstly, there are only three ways that I know of to keep metadata (not content, which can simply be encrypted) away from the people that route your packets.
1) Onion routing (Tor). This cannot be used for general purpose multimedia usage because of slow speeds (any slow middle node can make it slow, and the higher you speed you require your nodes to bee, the fewer nodes you have, lowering the security of your network)
2) VPNs. This obviously pushes the problem of trust back to the VPN company. Which is fine, it only needs to be more trustworthy than the ISP. But jurisdiction is a very important topic here, which only makes my point more so.
3) Put everything on one of a few global CDNs. That way, all network traffic is just encrypted requests to Google, Cloudflare, Amazon and Azure servers. This obviously has the problem that the CDN company now know what you're doing.
Unfortunately, the EU doesn't seem interested in private protocols.
https://www.europarl.europa.eu/doceo/document/E-10-2025-0032...
Sorry? You're aware of the fact that the EU tech sector has several parties that could do this by themselves if they felt the need to do so?
It's not an assumption? Nowhere in the above thread is that an assumption made, neither do any of the relevant points rest on such an assumption.
Google and Duck Duck Go both on the phone assumed I was in Hong Kong when searching, even though I was in Sydney and Vancouver respectively, which did make searching for local places a tiny bit more frustrating.
These are some of the most "slop" provider, which is mostly ads and affiliate links unfortunately. It's same reputation as nordvpn whereas the best you could say is it's well known
2/ iPhones don't get you set the DNS provider / DoH for cellular
3/ DoH breaks wifi redirect walls, making it tedious to enable/disable. Like you cant just enable DoH for certain apps or disable it for others.
Since this is a security focused discussion, why do you see wifi hijacking your dns lookups as something desirable?
And while we all would like to live in that perfect ivory tower of CIA-level security, we mostly live in the real world and have to make do with what we have.
The solution is to detect it happening, and then switch to a different 'mode' where you ignore all https certs but never send any private data and never trust any data received.
This is extremely difficult to do even for skilled people.
Is that really true? I would have thought all the automatic detection features try with unencrypted DNS? They should anyway.
You will get unfiltered western internet as a tourist.
Wasn’t a lot in the end scheme of things - less that the cost of a night in the hotel, let alone the full trip
Why was it blocked for a week? Not sure I understand what happened to you.
When the bar of entry is lowered, than that makes it easier for providers who offer privacy to enter the market. So that people who care about this sort of thing can choose them.
Even then, you'd be relying on the randomness source being good, which is not trivial. What if the ISP colludes, how would you ever know?
The most secure way to communicate is to not communicate at all, as always. Or to be more specific, to at least not involve an intermediary if you can choose so. Short of that, all that remains is the unproven hardness assumptions.
In theory encryption is something that protects the "common person", but SillyCon Valley's version of encryption, "TLS", is, unfortunately, mostly used for data exfiltration by third party intermediaries, so-called "tech" companies, i.e., opportunistic "business people".
Rather than protecting the "common person", the _primary_ use of "TLS" is to faciltate violation of the "common person's" privacy for profit, and to protect the third party intermediary's privacy intrusions from detection by the "common person", by making it difficult for the "common person" to monitor the outgoing traffic from their computers.
The privacy risk created by this third-party controlled encryption ("TLS") is why corporations must perform "TLS inspection". They have to decrypt TLS connections and then re-encrypt them in order to monitor the outgoing traffic from their networks. But the opportunistic "business people" in SillyCon Valley know the "common person" will not do TLS inspection.
But that's not all. Further third parties, more opportunistic "business people" called "certificate authorities" play a disproportionate role in brokering TLS connections, deciding on behalf of the "common person" who is trustworthy and who is not. This largely relies on "ICANN DNS", another laughable SillyCon Valley implementation, and is thus severely flawed, but that is another topic.
SillyCon Valley's so-called "tech" companies utilise this third party "CA system" to make it difficult for the "common person" to exercise control over deciding who they want to trust or distrust, e.g., by frustrating the use of so-called "self-signed certificates" by the "common person". Meanshile, the SillyCon Valley companies ensure that _by default_ the SillyCon Valley companies' certificates are trusted. In some cases, the certificates (or their digital fingerprints) are hardcoded into software used by the "common person".
Despite what the average "tech" worker would like the "common person" to believe, "TLS" is not synonymous with "encryption". Nor is criticism of TLS necessarily criticism of encryption. TLS is only a lame, user-hostile implementation of encryption that the "common person" must suffer while so-called "tech" companies use it to protect their surreptitious data collection from the "common person".
If your provider is trying to charge you every time yo need to move your SIM, have you considered a different provider?
https://support.apple.com/en-ae/118227
> You can have two eSIMs active at the same time on supported iPhone models. For example, you can use one eSIM for your home phone number and another eSIM for the place you're visiting.
With a physical SIM, I can pry my card out of one phone and put it into another, and expect it to work. With eSIM, every single eSIM has to be carrier approved and GSMA approved, and every single transfer from one eSIM to another has to be carrier approved too.
Is anything preventing the provider from denying a SIM swap based on IMEI?
Are you outside the US? I've used eSIM on iOS many times with a number of carriers and MVNOs and never noticed a fee (unless you're talking about a postpaid carrier's line activation fee, usually around $36, not related to esim or not)
That’s a trade a lot of people would gladly make.
Say you arrive somewhere where your regular provider doesn't have signal so you get a prepaid sim from the one provider that does have signal. How do you install it if it's an eSIM? You don't have connectivity on your regular.
One, you can plan ahead. Two, most of those spots have Wi-fi for this purpose.
There are legitimate reasons to prefer a physical SIM. This isn't one.
I have no idea where to get a local sim from, but it would mean I wouldn’t have my normal phone number (unless I had a phone with two physical sims - very rare), and presumably would have had to find a shop at 3 am body clock time and 10pm local time. Maybe there was one post customs, I don’t know as I was autopiloting to the taxi.
...? - they are literally the norm in Android land nowadays, it's only Apple that INSISTS upon a single SIM or, in third-world variants, two eSIMs.
As it is nowadays, I am not up to date.
That 10 € fee is exactly the cost they would have charged for a physical SIM, shipping included.
Bouygues was one of the companies lamenting the change. They viewed it as a "loss of connection with their customers", whatever that means. I haven't set foot in a phone store in I don't even remember how long, but at least 10 years, so I have no idea what the hell they're talking about.
Makes it harder to sell a SIM card along with a new phone, or upsell an entire new phone to someone who wants a SIM card.
This is a place where I really think Apple, Google, etc could throw their weight around for good.
If Apple just said to carriers: "You can't sell any iPhone's unless eSIM activations, changes, and updates are free for everyone, and take less than one hour." I think many would follow suit.
I suspect Apple is still in the process of forcing every carrier to just support eSIM in the first place, before trying to push making it work well. The second part might end up being implemented through law though.
I think carriers always need to be pushed via law. Australia mandated carriers to support number portability (including transfer time-frames) in 2001-ish. It suddenly became so easy to shop around, keeping your number was super easy.
Some started charging 'port out' fees, but that was squashed too.
Also considering you're required to authenticate to the government before being allowed to have a mobile phone number in Germany, some people might choose to mainly use their device on WiFis and with downloaded maps and other data. It's not like mobile data is that reliable in Germany anyway. That'd be an unpleasant surprise if you are subsequently denied emergency services in the life-threatening situations that 112 is for
I didn't believe you, or that it was possibly a temporary thing, but I checked and it seems to be true since 2009 with no news since. I'm curious to try it (if there were a test number like 117 and 119 in Belgium¹) because I'm still a bit in disbelief, or to know if it e.g. works with a data-only SIM, or if an expired SIM works (if it ran out yesterday and you haven't had time to fix it or charge up the prepaid card), or if you forgot the SIM PIN due to stress (happened to me once when the phone needed a reboot, so I spent my trip abroad without mobile service until I got home and could reset it). Is it that easy to change the IMEI of a device, that pranksters abuse the service with it constantly if not blocked outright? Why isn't this a thing in other countries? I have so many questions
What a backwater this is in terms of communications infrastructure
¹ https://nl.wikipedia.org/wiki/Noodcentrale_112#Testnummers_n..., English translation on https://www.reddit.com/r/belgium/comments/191hryo/comment/kh...
eSIMs just another way these companies are trying to control, and as you said, profit, off of their customers.
I see this as taking ownership away from the customer as well. I no longer own the SIM in essence.
Did that several times using cheap eSIMs while traveling.
Never had a single problem with it (but increased latency because of weird routings around the world).
I have an "always on" VPN routing back home. Anything destined for my home network gets routed that way, and there's literally zero battery drain.
I'm not paranoid enough to route everything through VPN though.
I already use SDNS with Nextguard, and all traffic is https encrypted, and my day to day business on the internet is probably rather boring to the majority of people. Not saying I have nothing to hide, everybody does, but my visits to various news outlets, social media and other sites is probably not all that interesting.
The most interesting data about you comes from your phones constant reporting of cell towers, which can be used to triangulate you, and put a timestamp on where you were, when.
UDP (which WireGuard uses to encapsulate your data) traffic is often de-prioritized. You won't notice it when the network load is low, but it will seriously degrade experience during high load periods.
[0]: https://radar.cloudflare.com/adoption-and-usage?dateRange=52...
Not sure if dang see this, but it might be worth asking hn@ycombinator.com otherwise
Maybe a flood protection for new accounts.
Maybe someone knows better alternatives?
Why would they take such extreme measures if there wasn’t some issue with the security?
Also, iPhone and iPad sold in China can install and activate an eSIM from foreign carriers when the device is not located in China. They only banned activating foreign eSIM within China.
Is that even a ban? I didn’t think eSIM activation typically roams — I thought it only worked on home networks.
While I was in the US, I swapped iPhones and successfully activated both NTT docomo and Au (KDDI) eSIMs while roaming. It definitely works when you're out of home network.
I'm not sure if it's an undisclosed security hole or a backdoor, but there does seem like the eSIM push has something to do with China.
If you use an eSIM provided by your own domestic carrier, which I do and many of my friends, especially when having more than one phone number, almost none of the risks in the paper are applicable.
How does that work with an eSIM?
You've already lost me there.
I don't install the samsung dishwasher app or the mcdonalds value points app or the Mountain Dew summer of fun app ... why would I install some random national carrier telco app ?
Same, except you download it.
When my wife’s German T-Mobile eSIM vanished during transfer to a new phone, their portal for downloading a new one required a token sent to that very phone number we just lost access to.
This meant we had to do a trip to their store where they said that there’s no process for the store to supply us with an eSIM, but they’ll setup a new traditional SIM which we could then convert to eSIM. Ridiculous! At least it was all free - apart from the time spent.
That was a few years ago, though. So, I very much hope they’ve improved on the process.
You scan the QR code and then download. Sometimes there is like a code you have to enter. It's a prepaid SIM, the carriers--particularly in East Asia or Africa--aren't particularly concerned with authenticating that much.
A regular SIM: you just pop a SIM card into your phone and it just God damn works.
But eSIMs? I've used eSIMs from five carriers in three different countries and every time there is some issue:
* "Oh you need our god awful app to install an eSIM" (of course I couldn't easily download it because Google play geo hides apps).
* "If your phone is stolen overseas you can simply use this QR barcode again to register an eSIM to a new phone" (I couldn't).
* "Works with all phones". (It didn't because phone manufacturers have to bake Telco specific data into your phones firmware. Not supported? You're shit out of luck).
I could go on..
The fact that there are now privacy and security issues is not surprisingly at all. This isn't teetching issues. The drafters of the eSIM standard should be publicly flogged.
I haven't had any APN issues with regular SIMs in a while actually, but it used to be a common problem that would only sometimes auto-configure correctly. I've definitely had to google carrier APN settings and fiddle with them for a while to get text, MMS, and internet access working properly.
I also recently had an issue where I moved my US MVNO provider SIM to a new phone and it mostly worked, except for RCS. When I called them, they claimed my phone model wasn't compatible with their network, despite me already using it on their network for months. Apparently in their opinion SIMs should never actually be moved to a different phone. They offered to sell me a new phone, but I switched to a new carrier instead.
But this is exactly the situation we have with VPNs. VPNs have proven themselves to be a useful tool for censorship circumvention, and foreign eSIMs are thus an interesting alternative suitable for this purpose, especially if traditional VPNs are blocked by the state.
https://www.sakuramobile.jp/japan-sim-card/local-japan-esim-...
EDIT: Last time I went to Japan, I bought an esim from https://jjesim.com/esim
No reason to avoid cheap providers.
The other risks mentioned are mostly rare edge cases
There is very little difference between a physical SIM from provider X and an eSIM from provider X (except that one requires an available physical slot and the other is a pain to move between devices), but eSIM allowed many new provider and reseller business models.
In practice, this means much more choice, much lower prices, but often also lower quality because everything is optimized to be as cheap as possible and often involves roaming agreements where your traffic gets sent on high-latency world tours.
[0] Website, https://saily.com/
[1] Actual operator is 1GLOBAL alias TP Global
* Provision of Services The Services to Customer will be provided by our Technology Partner - TP Global Operations Limited, a limited liability company incorporated and registered in England and Wales with company number 14109189 whose registered office is at 109 Farringdon Road, Farringdon, London, EC1R 3BW, UK (“1GLOBAL”). *
I've used Airalo without much hassle, but I can't say that they're any better. I did have an incident where the phone I was using broke, and I was unpleasantly surprised to find that I couldn't just load the eSIM onto the replacement phone, seems like you only get one shot at downloading it.
(Dragonpass is pretty good though, I recommend getting that through a credit card or whatever if you spend a lot of time habging around airports.)
Registered address: The Valley - Beethovenstraat 505 North tower, Level 6. Amsterdam 1083HK, Netherlands
So we're at 3 levels of indirection on ownership already.
In practice, 1 Global is the trading name of TP Global because it's the successor company to 'Truphone':
> In 2022 the Company was selected in a competitive bidding process, conducted by a UK court appointed administrator of Truphone Limited (“Truphone”), to acquire all the business and assets of Truphone (the “Acquisition”).
And this company was an investment option for Russian oligarchs:
> In December 2024, German Manager Magazin revealed that Russian oligarchs Abramovich, Abramov and Frolov, who had previously owned 96% of Truphone and invested more than €360 million in the company, could still benefit from any success achieved by 1Global.
So yeah, maybe avoid.