Skip to main content

A Technical Description of Psiphon

Here's an update to address two recent questions: in simple terms, what is Psiphon and how does it differ from a VPN service; and, what has changed since the technical design document was last updated.

Psiphon 3 is a centrally managed, geographically diverse network of 1000s of proxy servers. Most of our infrastructure is hosted with cloud providers. Psiphon 3 is a "one hop" architecture with secure link encryption between clients and servers. We offer clients for the most popular platforms: Windows, Android, and iOS (in alpha).
Psiphon is open source. Our service offers a strong privacy policy; there are no user accounts and user network addresses are not logged.
Psiphon differs from standard VPN services in a couple of key ways:
  • We deploy strategies to distribute subsets of servers to users aiming to provide each user with a handful of servers they can reach while not revealing the entire network to one user. To achieve this goal, the size of our network -- and in particular the diversity of our network addresses -- isn't simply a function of our traffic load.
  • We use protocol obfuscation to bypass DPI blocking.
Psiphon's technical design document is out-of-date and what follows is a very brief summary of major technical changes we've implemented since the project launched in 2011.
  • We added the obfuscated SSH protocol to mitigate DPI fingerprinting. This fully random-looking protocol is deployed with a unique obfuscation key per Psiphon server.
  • We added an optional HTTP prefix to our protocol to mitigate DPI-based whitelisting of HTTP traffic. This simple prefix is sufficient for regex-based DPI (nDPI and l7-filter) to classify Psiphon traffic as HTTP; and was sufficient to defeat an actual adversary at the time we deployed it.
  • We added remote server lists to augment the embedded and discovery servers concepts. While discovery happens only when connected to an existing server, remote server lists can be downloaded even when all servers are blocked. Remote server lists are distributed on S3 and accessed via https://s3.amazonaws.com without a distinguishing bucket name in the URL. In this way, it is difficult for an adversary to block our remote server lists without blocking all of S3 or implementing HTTPS traffic analysis.
  • Email is now a major client propagation mechanism. We have an auto-responder that returns links and attachments to custom sponsor/channel Psiphon clients depending on the email address users send to.
  • We released an Android client in 2012. The first version included an embedded browser based on Android's WebView. In 2012/2013 we added support for whole device tunneling, which tunnels all Android apps through Psiphon. We have an iptables whole device mode (for rooted Android 2.2+ devices); and a whole device mode that uses Android's VpnService with tun2socks (for any Android 4+ device). Additional features added include egress region selection and proxy chaining.
  • We have an iOS client now in alpha testing. This app has an embedded browser.
  • Our in-app feedback mechanism sends us messages and optional diagnostics from users. This system has helped us debug many platform issues and blocking issues.
  • Changes to discovery algorithms: our discovery algorithms evolve as part of an ongoing process of optimizing our network. Major changes include sharing discovery servers across propagation channels; and adding time-of-day as a dimension.
  • Optimizations to connection algorithms: our clients now launch connections to many servers at once when connecting, and keep the "best" connection. This assists in load balancing as well as reducing user wait time as individual blocked servers do not stall the connection sequence.
  • Client auto-upgrade was enhanced to use incremental download and to use out-of-band download sites (authenticated with digital signatures). These changes made it more likely that a new client can be distributed at a time of blocking.

Popular posts from this blog

Why You Don't Need Google's Domain Fronting

Google’s removal of domain fronting emphasizes the need for solutions like Psiphon. Google has confirmed that they will block domain fronting across Google domains and App Engine. For many apps and publishers, this represents a step backwards in the fight for internet freedom. While Psiphon has never relied on this Google service, many app developers continued to depend on the practice as a convenient and straightforward means of circumventing state-level censorship, despite the long-running speculation that Google would close this loophole (eg. Will Scott’s blog post in 2017). While the announcement has been met with criticism from internet activists and service providers alike, Google has defended their decision, saying “ domain fronting has never been a supported feature ”. Domain fronting has been a popular means of censorship circumvention for several years, being embraced by popular apps like Signal, who publicly adopted the practice in 2016 . While using Google domain

Social Media and Internet Ban in Turkey

Following the detainment of 12 pro-Kurdish lawmakers from the Peoples’ Democratic Party (HDP) in the early hours of November 4 th , Facebook, Twitter, Instagram, YouTube, WhatsApp and Skype were blocked in Turkey . There were reports that Turk Telekom internet provider completely disabled access to the internet or throttled the connection to the point that it was impossible to connect. Despite lack of official decision about the restrictions, and BTK’s explanation that there was a technical problem throughout Turkey, Prime Minister Binali Yildirim made a statement later in the day and said “For security reasons, these kinds of measures can be taken time to time. These are temporary measures. Everything goes back to normal after the danger is eliminated.” Social media and internet bans ended the following evening in most of the country, but there were still some short-term connection problems during the weekend in some regions, and it was reported that some Turk Telekom users

Psiphon Usage Surges as Brazil Blocks WhatsApp

At 9PM ET on December 16th WhatsApp was blocked in Brazil . The ban came after a judge ordered that the messenger app be blocked for 48 hours when the company refused to hand over private user information related to a criminal case. For months, Brazilian telecommunications companies have been attempting to shut down WhatsApp because it provides free messaging and voice services. WhatsApp is the most popular messenger service in Brazil and telecoms blame it for luring millions away from paid cell phone use. Internet users in Brazil reacted strongly to the ban, criticizing the decision to block WhatsApp widely on social media. Millions turned to alternate messenger services and shared circumvention techniques over social media. Psiphon was praised by people in Brazil for being free, open source, and able to keep them connected throughout the blocking event. Psiphon’s surge capacity was able to cope with the increased demand, with peak data use of more than 8x that of a normal day. Psip