I'll post an example for the parent just in case they are honestly confused about use cases. Here is one that happened to me. I had an eSIM on my iPhone. My iPhone broke (screen became somewhat unusable, and the phone was stuck in a restarting loop). It was an older model phone so I checked the repair cost and thought I'd rather buy a new one.
Bought a new phone. Now, to transfer my eSIM from the old phone to the new phone, I needed the carrier to approve. But I was away from my home country and on roaming. So I tried to call them. They needed me to use a verification PIN they would send via SMS on the old phone, to verify the transfer to the new one. Impossible since the old phone is unusable.
Back in the day, I'd have just taken out the sim from the old phone and moved it to the new one. Easy peasy.
The only other option in this case now was to visit one of their stores thousands of miles away. Eventually just ended up doing that when I returned weeks later but during this time I could not access several services due to lack of access to my number plus 2 factor codes being sent there.
Moving a sim from phone to phone was seamless. Now the carrier needs to approve this swap. Even with two working phones sometimes it's a hassle and there will be delays while carriers decide to approve the move. There is a new feature that allows you to transfer eSIMs easily between phones but carriers seem to be holding onto their power in this regard and not every carrier will let their sims move so easily. This possibly requires regulators to step in and solve the issue - make it up to the user to move eSIMs. I would count on the EU to make this easier at some point.
On the plus side, eSIMs are nice to be able to signup and provision them through an app. Helps with travel and roaming. So there's that too.
“I’m across an ocean from any of my network’s stores and need to activate a different phone on my regular network and number right now, on the side of the road, without WiFi or a computer or a different, working phone already on my account” is to me the most obvious case where eSIM is weak. And having been in that situation before eSIMs, it was really easy - remove SIM, put in backup phone, use. Not so much now.
this carrier approval to move esim problem is more generalized on modern “smartphones”. unless you opt in to cloud providers holding your data there is no easy way afaik to migrate your authenticator apps to another phone. and a host of other authentication/authorization data is tied to the device in an opaque way. don’t get me started on apple’s unpredictable model of sending 2fa to some other “trusted” device which means tou never know what tou need to bring with you.
> unless you opt in to cloud providers holding your data there is no easy way afaik to migrate your authenticator apps to another phone.
You could self-host Bitwarden/Vaultwarden, or something like that.
> don’t get me started on apple’s unpredictable model of sending 2fa to some other “trusted” device which means tou never know what tou need to bring with you.
I think they send 2FA to all supported devices on one's Apple account?
i just ran into a situation activating a new device in which apple were trying to send to a device i had forgotten to “properly” remove from that icloud account.
and also another situation in which the 2fa code would flash on the remote device and disappear in a fraction of a second. i eventually captured it with screen recording but every time i did it the code was not accepted.
my conclusion: apple had silently ruled that i would not be allowed to activate using that particular icloud account. no idea why. i tried a different one and things went through ok.
that’s good to know thanks but creates more special cases to manage if i just want to backup my stuff so i can manually recover when i need to (on lost device say).
It's well known that people often lie on visa applications and try to immigrate illegally. The US publishes a yearly review of overstayers broken down by country of origin. So you can see where the highest problem areas are. Sometimes this is masked because of way stricter visa issuance policies. So for example, you may not see a super high overstay percentage for India because many folks get rejected at the visa application stage. But still, this gives you a clearer picture of how rampant the lying is and the subsequent "disappearing" in the US.
That is an interesting document. I did not know about it.
I will say that the absolute numbers are higher than I expect, but the relative numbers are around the ballpark of 1%. And depending what is counted maybe ~2% which seems to me that the problem itself is not as big as it seems to me people are making it to appear. It does not seem to be foreigners are trying to overtake or abuse the country systematically as the it has been said by some. Is my reading of the situation same as yours?
So for Visa Waiver countries one of the requirements is to keep that number under 1% or so to stay in the visa waiver program. For visa required countries, if the visa vetting process wasn't so strict, probably the numbers would be a lot higher.
This was already the case for almost every other country. Most embassies required you to be resident or a national of the country you are applying in.
So oddly, the US was far more permissive than other locales in this one aspect. All this change does is bring it in line with security practices that other nations already had in place.
Honestly am quite surprised that the US didn’t already have this restriction considering overall it’s one of the toughest countries to get a visa for or even enter with a valid visa.
The US visa vetting procedure is known to be so strict even for tourists that many nations give visa free access to nationals who would otherwise require a visa - just because they hold a valid (or sometimes even expired!) US visa. It’s a highly regarded sticker if you can get one in your passport and seriously ups the power of your passport if it’s a weaker one to start with.
Many countries do things radically different than America does in terms of immigration, but it is quite clear over the past 20 years that one major political party in America favors more open immigration than the other. Where it seems most Americans prefer something right in the middle. Legal, but flexible.
Europes permissive immigration policies (basically anarchy from my perspective in the UK) are creating an entirely avoidable crisis. I expect a far more closed border policy in the future. International travel will become more complicated as western countries will increasingly try to control who is allowed in. Trumps administration is just 2 to 5 years ahead of everyone else.
> Europes permissive immigration policies (basically anarchy from my perspective in the UK) are creating an entirely avoidable crisis
The crisis was not created by the immigration policies, but by the wars waged by US and Europe.
You see, when you bomb people, some will stay there to die and some will live. It is _that_ simple.
> This was already the case for almost every other country.
The US started of as a “zero to one” - a “sui-generis” state - unlike any other
Over time the people that gave in to the temptation to copy others, to be imperialistic, to be a colonizer, to be a slaver, to be expansionist all managed to damage the soul of the country- and still they keep trying
Why the insistence of being like almost every other country ?
> Most embassies required you to be resident or a national of the country you are applying in.
Were not like other countries
> So oddly, the US was far more permissive than other locales in this one aspect. All this change does is bring it in line with security practices that other nations already had in place.
We won two world wars and put a man on the moon - and you want to bring the US in line ?
The greatest experiment in state-building and you want to make it average?
Really? Do you have any examples? I’ve had visas around the world (and encountered numerous weird requirements) but never have I been required to apply for a visa from my country of nationality. Even China, which is very restrictive, allows for non-national applications.
(And in fact, in my experience, it is getting easier with online applications becoming more common.)
It's common for countries to require you to apply from your country of nationality or residence, and to prove lawful residence if you're not a national of the country you're applying in. I'm in the middle of a French visa application for my daughter right now, and she must apply in the U.S. where she's a citizen.
I’m not an expert at this, but is it true that the US is very unique in requiring interviews for all tourist visas and for almost every visa?
I’m American and every visa I’ve had to apply for did not require my physical presence at the embassy and I used a third-party processing service to get everything done.
Therefore, while I would need to apply to these countries from their US embassy because my physical presence was not required, I would generally not need to return to the United States to obtain their visa?
And this aspect of a US visa does make it significantly harder even though the application policy is similar to other countries?
I'm not aware of any other country besides the US that has a blanket policy of requiring at least one interview in almost all cases.
That said, back in the 2000s I had to apply in person at the French embassy for a student visa, in in the 2010s I had to apply in person at a Chilean consulate for a special visa.
Many countries have outsourced the bulk of their processing to contractors like VFS or TLS these days. But also, our experience as Americans is not representative as we generally have fewer visas we need to bother obtaining, and face less scrutiny when doing so.
I'm not sure if the US interview requirement makes it "harder" to get a US visa - it may be that getting a US visa is just harder than getting another country's visa, which might still be true even if we didn't interview people. The big thing that makes getting non-immigrant visas to the US difficult for many people is that, unless shown otherwise, US immigration law assumes you are an immigrant.
I have several examples and lots of personal experience. I’ve been asked to go back from Mexico, Brazil, and Chile while traveling there and applying for a visa to Peru. Finally the Peruvian embassy in Chile gave me a visa to visit Peru because I accidentally bumped into the assistant consul.
Several more examples but in this day and age you can just ask chat gpt to summarize for you. But if you check visa application requirements for many embassies, they will often say: proof of residence if not a national of the country of application. So that’s the requirement often.
I will add though that I’ve always maintained that this is a soft policy and they will make exceptions in some cases. It is mostly consulates wanting to do as little work as humanly possible. So there can be ways to get around it if you can talk to someone in charge. But usually that’s very difficult with consulates.
I’m pretty sure though in the US’ case now it’s a hard no. So there will be no working around it.
Expanding on my previous comment with an example: I obtained a long term residency visa a few months ago. I was in the country at the time and didn’t want to fly 15 hours back to my home country, and the embassy in the neighbouring country only accepts applications from residents, so I flew to another nearby country which does accept non-residents. The country that I have a visa for doesn’t care where the visa is issued, it’s the individual embassies that set their own rules about who they will process applications for. You just have to look through each embassy to find one that accepts you (which will be documented on their website). Except now for the U.S. which is instituting this rule.
I think we are talking about different things. I’m talking about a country’s requirements whereas you’re talking about a specific embassy.
An embassy will often have its own requirements based on the locality, whereas the visa requirements are uniform.
The Indian embassy in San Francisco might refuse to process non-resident applications but that doesn’t mean you can only get an Indian visa by going to an embassy in your country of nationality.
I don’t know about Schengen but that’s not correct for Japan. You can get a visa to visit Japan from an embassy in a country you’re not a resident or national of, there’s no requirement for the visa to be issued in your country of nationality (although some embassies may choose not to accept applications from non-residents or non-nationals).
Schengen does not work like that. While you are supposed to apply from the country you are a resident in, if you have valid reasons you can apply from any other country. This is also frequently necessary (eg: traveller without fixed residence).
Well, just happening to be in a different country is not a "valid reason". Maybe for someone from the West it would be accepted, but not for the rest of us.
Also, "a traveler without a fixed residence" can get a non-immigrant visa for Schengen? I'm sorry but this just is not true if you're not a Westerner.
> Also, "a traveler without a fixed residence" can get a non-immigrant visa for Schengen? I'm sorry but this just is not true if you're not a Westerner.
If there is no doubt that you will leave and you can sustain yourself: sure.
Thanks for posting context. I was pretty annoyed at Revolut after reading the twitter thread but didn't know about this part of the situation. Of course, it's not obvious from the twitter thread at all.
Thank you for having the time and patience to reply to everyone about psychotherapy and how it's not a one-stop-shop to fix all your issues. I feel the same but honestly do not have the patience to take on this immense debate with mostly people who blindly believe that some person with a basic degree has the knowledge, insight, authority, etc. to solve your life's problems. I personally cannot reason with people who have based their beliefs on 'blind faith'.
Why are some people better at understanding technology or people? Why are some people able to do competitive bodybuilding? Why are some people geniuses? Why are some people paralyzed? Why do some people have deadly diseases or allergies?
Everyone's different, plus evolution. Left alone, the modern depressed would just die off soon enough.
The gist of it is that it depends a lot on your citizenship, the kind of work you do, and how it is all setup. Normally, taxes are to be paid where the work is done if you are a tax resident in that country. Interpretations vary so most nomads are on tourist visas and just fly under the radar. There is no proper framework for this kind of work yet. Even if you wanted to pay taxes in a country you're visiting it would be impossible in many cases because they wouldn't even issue a tax number without proper residence papers. You should be most concerned about your home country and speak to an accountant about that.
People on tourist visa by definition are not residents or citizens. They are tourists. You can't tax tourists. Imagine how many people would avoid certain destinations, I mean executives, if this was ever an issue. Many people "work" while being tourists. It would be difficult/impossible to force them to pay taxes for the weeks or months they spent in your country.
While it's still complicated, many countries use the notion of "tax resident", usually defined as "somebody who spend more than 180 days / year physically at our territory".
While it doesn't help US residents, as they have to pay Uncle Sam wherever they live, many non-US people are using this loophole to avoid being taxed anywhere. Just find 3 countries with residence-based taxation, avoid staying more than 180 days in a year in any of them moving back and forth, and boom! Zero taxes.
What I don't get is why the industry has decided to force encryption with HTTP/2? The spec does not require TLS however almost every single major browser only supports HTTP/2 with TLS.
Is this a push to make the internet more secure by design or is there some other reason behind this?
What's the speed difference between HTTP/2 and HTTP/1.1 without TLS? I'm sure this is hard to test because of lack of client support.
It is not always trivial to move large legacy projects to secure connections (especially because any resource, even an image, being loaded from an insecure endpoint results in a warning) so the result is now:
- Support TLS first
- Then implement HTTP/2
Consumers will not be able to take advantage of the better HTTP/2 performance without big changes to websites to first support TLS on the server end. Why?
> What I don't get is why the industry has decided to force encryption with HTTP/2?
For reliability and success of the protocol. "Reasons for choosing TLS-only include respect for user's privacy and early measurements showing that the new protocols have a higher success rate when done with TLS. This is because of the widespread assumption that anything that goes over port 80 is HTTP 1.1, which makes some middle-boxes interfere with or destroy traffic when any other protocols are used on that port." (Source: http://http2-explained.haxx.se/content/en/part5.html)
Believe me, TLS is very much necessary in practice here.
>This is because of the widespread assumption that anything that goes over port 80 is HTTP 1.1, which makes some middle-boxes interfere with or destroy traffic when any other protocols are used on that port.
I'm not convinced that's a real problem once traffic leaves your servers/CDN. In practice I have seen lots of protocols use port 80, since 80 is the port that's most likely to be unrestricted on even the strictest corporate firewalls.
It's a real problem. There are plenty of middle boxes around either at ISPs/cell operators or in residential gateways/modems that interfers on port 80.
The HTTP/2 protocol negotiation happens with ALPN, which is a part of TLS. It's possible to simply not negotiate or find another means, but in practice there are many proxies on the Internet that assume all port 80 traffic is HTTP/1.1 and will break an HTTP/2 connection.
That's simply to give web developers another incentive to use TLS. There is no real technical reason beyond that.
>any resource, even an image, being loaded from an insecure endpoint results in a warning
By nessesity, unsecured resources undermine TLS's integrity guarantees. An unsecured image on my bank's website would mean that anyone who MitMs my connection can swap that image to show a message that appears to be from my bank.
The internet is no longer the trustworthy place it was in the eighties. HTTP2 is one attempt to make developers catch up with ye that.
I agree with you 100%. What I don't get is the tradeoff that happens in this case for sites that do not necessarily need to be secure by design (what about a news site that has no login/etc or a blog?). Should all information on the web be encrypted by default?
Should all those sites not benefit from the speed improvements that HTTP/2 offers? It seems unusual to couple HTTP/2 with TLS, again, it's not the spec that does this but the vendors who are doing this.
The bigwigs of the industry will throw tons of developer resources at converting everything to TLS (haven't they already for the most part?) and then deploying HTTP/2. They already throw tons of money at being the fastest out there.
I find it interesting (worrying?) that while a spec does not specifically enforce a requirement, large browser vendors have enforced it and created an imperative for pretty much everyone to comply if they want the benefits of the new protocol.
There are a surprising number of ISPs that will happily inject content into users' data streams - we've had to go HTTPS with our apps to prevent this on several occasions.
Who's to say it won't be ads next? Who's to say they won't be serving exploits to clients? One lazy ISP trying to make a quick buck could serve untrustworthy ads to millions of people and have it show up on other sites, making it difficult initially to determine the source of the exploit, and preventing browsers' 'untrustworthy site' warnings from protecting users.
The same thing happened years ago with RBLs, where ISPs would return fake DNS results for sites which didn't exist, breaking RBL lookups completely and severely hampering spam detection for any users using those DNS servers. Worse yet, some of them prevent you from accessing other DNS servers directly, making it impossible to avoid their breakage.
If there's one thing we've learned in the last ten years it's that we can't trust ISPs to stay in their roles as providers of connectivity and services; they all see the potential for more money and never seem to grasp the downsides until it's too late.
Should J Random Hacker be able to alter your news feed to feed you fake information?
I think one reason they insist on TLS is because the need for privacy and integrity is a lot bigger than most people realize, and historically server folks have not reliably made the right choice.
No, of course not. What would be the economic incentive towards carrying out a sufficiently complex MITM attack on a blog or a newsfeed?
In my experience the times that I've had users complain about "injected" information or weird ads, it's usually come from malware that resides ON their system. There's no MITM required for this. The injection happens client side through a browser plugin or some other resource that gets loaded up along with the page. TLS wouldn't fix this in any way as far as I am aware.
>What would be the economic incentive towards carrying out a sufficiently complex MITM attack on a blog or a newsfeed?
Injecting ads is a relatively harmless but hugely profitable application we are already seeing.
On the more serious side, changing news feeds has huge potential for governments. It's the perfect propaganda tool, and with advances in machine learning the cost of doing this on a gigantic scale shrinks every day.
> What would be the economic incentive towards carrying out a sufficiently complex MITM attack on a blog or a newsfeed?
Gee, I don't know, imagine plastering your brand all over the NYT homepage or libelously accusing your political opponent of some heinous crime or behavior or injecting your malicious script onto millions of visitors' machines.
> There's no MITM required for this.
Um, local scripts injecting ads are still MITM by definition.
> TLS wouldn't fix this in any way as far as I am aware.
Yes it would. That's why pesky "antivirus" software MITMs TLS connections on your local computer.
The context of this discussion is smaller publishers/bloggers/etc. If you see the grandparent post it's clear that industry leaders will not find it technically challenging to get on board with both TLS and HTTP/2. The question I asked about economic incentive is not in the context of the NYT homepage but thank you for the unnecessary snark.
A local script injecting an ad is not the same kind of MITM attack and is no way mitigated by enabling TLS.
The discussion here is not about whether encryption is bad. My aim was to ask about whether no encryption = no HTTP/2 for you and why this is the case. I understand that the technical reason at the protocol level is because of obsolete proxies often sitting on port 80 and also the protocol negotiation that needs to take place.
> What would be the economic incentive towards carrying out a sufficiently complex MITM attack on a blog or a newsfeed?
We've already seen large scale MITM be used for political reasons: to DDOS github off the internet in retaliation hosting anti-censorship technologies.
It's an integrity issue for sites that you trust. Some people's personal trust model is such that they trust no one and nothing published on the web sways their opinion; if that's indeed true then no amount of MitM content injection is going to influence them one way or the other -- but neither is truthful content. For these people, everything on the web is 'entertainment', and none of it is 'staying informed'.
For people who do use the web to stay informed, reputation, ie. trust, matters. I might think that CNN publishes clickbait alonside real news, but I trust that CNN won't put blantaly false breaking news warnings above the fold about made-up events. Or, if I don't trust a single source in isolation, I trust that if several news outlets are posting breaking news warnings about the same event at the same time, that event must be real. How else would you find out?
In this day and age, refusing HTTPS means that the site author has done a cost-benefit analysis and decided that their content is not important enough to be verifiably originating from them, and that their reputation is not valuable enough to be protected from malicious tampering. In that case, why host a self-hosted website at all?
> what about a news site that has no login/etc or a blog?
HTTPS. It's not just about privacy. You want people changing the content of your articles and injecting ads or malicious scripts for your visitors? As the owner of the site, you have a responsibility to protect them and protect yourself from liabilities.
Are you using the transport layer? Then you need Transport Layer Security.
> Should all those sites not benefit from the speed improvements that HTTP/2 offers?
So, nope. Not until they can guarantee integrity and authentication.
While you're points are valid, you're wrong about there being no technical reason. There is a valid technical reason, and that is, if http2 didn't require TLS, and ran on port 80, in practice it would get MITMed by software expecting plain http 1.1 and result in a broken mess. Requiring TLS is a technical decision that allows you to avoid that issue.
I can't speak on behalf of the internet, but I believe that since HTTP/2 is faster than HTTP/1, a decision was made to force TLS for the sake of privacy.
I remember watching a video of some Go developers writing an HTTP/2 client and one of them mentioned that there was an agreement to never accept non encrypted connections.
Because the protocol is now significantly more complex that HTTP 1.X and intermediate network services (proxies, etc) would not play well with a unencrypted stream. TLS guarantees that the intermediaries are either fully terminating the client connection and proxying to the server in whatever protocol it supports, or not manipulating the stream at all because it's unable to know the contents therein.
> Is this a push to make the internet more secure by design
Yes? I thought that was obvious. Google is even giving higher ranking to HTTPS sites now and even showing HTTPS versions of the site by default on Google, I believe.
If I'm not mistaken Apple is also pretty much forcing all app developers to use encrypted TLS connections for their apps (although there may be some exceptions).
The requirement for HTTPS everywhere is growing on me, especially after recent papers indicating that traffic is altered even on backbone provider networks.
Bought a new phone. Now, to transfer my eSIM from the old phone to the new phone, I needed the carrier to approve. But I was away from my home country and on roaming. So I tried to call them. They needed me to use a verification PIN they would send via SMS on the old phone, to verify the transfer to the new one. Impossible since the old phone is unusable.
Back in the day, I'd have just taken out the sim from the old phone and moved it to the new one. Easy peasy.
The only other option in this case now was to visit one of their stores thousands of miles away. Eventually just ended up doing that when I returned weeks later but during this time I could not access several services due to lack of access to my number plus 2 factor codes being sent there.
Moving a sim from phone to phone was seamless. Now the carrier needs to approve this swap. Even with two working phones sometimes it's a hassle and there will be delays while carriers decide to approve the move. There is a new feature that allows you to transfer eSIMs easily between phones but carriers seem to be holding onto their power in this regard and not every carrier will let their sims move so easily. This possibly requires regulators to step in and solve the issue - make it up to the user to move eSIMs. I would count on the EU to make this easier at some point.
On the plus side, eSIMs are nice to be able to signup and provision them through an app. Helps with travel and roaming. So there's that too.