Skip to main content

Heartbleed and Psiphon


Summary of Heartbleed impact on Psiphon:

  • Some Psiphon servers were using affected versions of OpenSSL, leaving the Python web server vulnerable to the Heartbleed attack. Data at risk, within the web server component process, included Psiphon network topology information and network usage statistics in addition to web server key material.
  • The SSH/SSH+ Psiphon tunnels were not at risk. User traffic flowing through the Psiphon servers was not at risk. VPN Psiphon tunnels were potentially at risk for man-in-the-middle attacks as the per-session authentication secret is in Python web server memory.
  • On April 8, 2014, OpenSSL patches were applied to all affected Psiphon servers. In addition, all affected servers had their non-SSH/SSH+ capabilities revoked (out-of-band updates to all clients), ensuring clients will not attempt to use potentially compromised web server key material outside of the secure tunnel.
  • The Windows client does not use OpenSSL and is not affected by the Heartbleed attack.
  • The Android client does not use OpenSSL for its tunnel, but does use Android Java SSL for its web requests to Psiphon web servers and Amazon S3. As Android version 4.1.1 is affected by Heartbleed, our app on this particular version of Android remains vulnerable to Amazon, Psiphon servers, or a man-in-the-middle peeking at app memory.
  • The email auto-responder server had the affected version of OpenSSL. The attack against it would be to get it to make a SSL connection to a remote mail server (by sending an email request from an address that uses that server), which could then peek into the memory of the mail server. This could potentially expose email content, including addresses. The OpenSSL patches were applied April 8, 2014.
  • The feedback processing server had the affected version of OpenSSL. It may have used that library (via Python + Boto to make SSL connections to Amazon AWS services and Google Gmail server. This means that Amazon or Google could have accessed user feedback data. However, it should be noted that this data is already hosted in Amazon EC2 and a subset of this data is emailed to us via Gmail. The OpenSSL patches were applied April 8, 2014.
  • Psiphon was not using an affected version of OpenSSL.

Popular posts from this blog

Social Media and Internet Ban in Turkey

Following the detainment of 12 pro-Kurdish lawmakers from the Peoples’ Democratic Party (HDP) in the early hours of November 4 th , Facebook, Twitter, Instagram, YouTube, WhatsApp and Skype were blocked in Turkey . There were reports that Turk Telekom internet provider completely disabled access to the internet or throttled the connection to the point that it was impossible to connect. Despite lack of official decision about the restrictions, and BTK’s explanation that there was a technical problem throughout Turkey, Prime Minister Binali Yildirim made a statement later in the day and said “For security reasons, these kinds of measures can be taken time to time. These are temporary measures. Everything goes back to normal after the danger is eliminated.” Social media and internet bans ended the following evening in most of the country, but there were still some short-term connection problems during the weekend in some regions, and it was reported that some Turk Telekom users

Psiphon Usage Surges as Brazil Blocks WhatsApp

At 9PM ET on December 16th WhatsApp was blocked in Brazil . The ban came after a judge ordered that the messenger app be blocked for 48 hours when the company refused to hand over private user information related to a criminal case. For months, Brazilian telecommunications companies have been attempting to shut down WhatsApp because it provides free messaging and voice services. WhatsApp is the most popular messenger service in Brazil and telecoms blame it for luring millions away from paid cell phone use. Internet users in Brazil reacted strongly to the ban, criticizing the decision to block WhatsApp widely on social media. Millions turned to alternate messenger services and shared circumvention techniques over social media. Psiphon was praised by people in Brazil for being free, open source, and able to keep them connected throughout the blocking event. Psiphon’s surge capacity was able to cope with the increased demand, with peak data use of more than 8x that of a normal day. Psip

7ASecurity’s Recent Security Audit of Psiphon’s Code Finds “No Significant Security Flaws”

As part of our ongoing commitment to achieving the highest standards of transparency and security, Psiphon commissioned 7ASecurity to conduct a security review of its code base related to four new Psiphon enhancements. The resulting report is public and can be found at: https://7asecurity.com/reports/pentest-report_psiphon-e.pdf .  Using a “white box” approach, meaning the complete source code was available, the security team set out to determine Psiphon’s adherence to secure coding best practices, and to provide safeguard recommendations, where appropriate, based on their findings. The security team used a variety of tools and methods against all Psiphon source code and third party libraries. Network traffic was also analyzed to identify potential attack vectors, fingerprinting and Psiphon’s behaviour under attack.  The team’s conclusions were that:  “ The Psiphon platform was found to be resilient to a broad range of attack vectors and provided an overall solid impression.  This