Psiphon Blog

At Psiphon, we’re committed to open source development. We talked about this in a previous blog post , and you can access our source code here . We were recently offered the chance to take this openness a step further with a formal security audit of our Windows and Android products, to be carried out by iSEC Partners . As part of our effort to be transparent in the way we operate, we are pleased to publish this report in full, which you can access here . Overall, we are very happy with the results of the security audit, and for it to be recognized that we are "actively invested in ensuring the security of [our] users". We have already addressed the one High Severity item uncovered by iSEC Partners, and will continue to address the other recommendations over time. The main findings of the report are: Psiphon follows most industry best-practices and takes measures to mitigate against attacks where it cannot. Most findings were suggestions to further improve the system, particul...

Summary of Heartbleed impact on Psiphon: Some Psiphon servers were using affected versions of OpenSSL, leaving the Python web server vulnerable to the Heartbleed attack. Data at risk, within the web server component process, included Psiphon network topology information and network usage statistics in addition to web server key material. The SSH/SSH+ Psiphon tunnels were not at risk. User traffic flowing through the Psiphon servers was not at risk. VPN Psiphon tunnels were potentially at risk for man-in-the-middle attacks as the per-session authentication secret is in Python web server memory. On April 8, 2014, OpenSSL patches were applied to all affected Psiphon servers. In addition, all affected servers had their non-SSH/SSH+ capabilities revoked (out-of-band updates to all clients), ensuring clients will not attempt to use potentially compromised web server key material outside of the secure tunnel. The Windows client does not use OpenSSL and is not affected by the Hear...