Skip to main content

Independent Security Assessment of Psiphon 3


At Psiphon, we’re committed to open source development. We talked about this in a previous blog post, and you can access our source code here.

We were recently offered the chance to take this openness a step further with a formal security audit of our Windows and Android products, to be carried out by iSEC Partners. As part of our effort to be transparent in the way we operate, we are pleased to publish this report in full, which you can access here.

Overall, we are very happy with the results of the security audit, and for it to be recognized that we are "actively invested in ensuring the security of [our] users". We have already addressed the one High Severity item uncovered by iSEC Partners, and will continue to address the other recommendations over time.

The main findings of the report are:
  • Psiphon follows most industry best-practices and takes measures to mitigate against attacks where it cannot.
  • Most findings were suggestions to further improve the system, particularly in relation to the growth in the number of people using the software.
  • No inherent architecture flaws were discovered.
  • One High Severity issue was found, related to automated server patching. We have now deployed automated server patching using Ansible.
  • Longer-term recommendations are being considered, and where appropriate built in to our development plans.

One particular finding of interest is the recognition by iSEC Partners that there is a potential for security issues related to the browser that we use for browser-only mode. We wrote about that recently when a new security flaw in the browser was discovered, and have already taken steps to mitigate against it.

We were very pleased to be given the opportunity to engage with this security review. We hope that you will find this report interesting, and that it will reassure you of our commitment to providing first-class software that will always be open source and secure.

Popular posts from this blog

Why You Don't Need Google's Domain Fronting

Google’s removal of domain fronting emphasizes the need for solutions like Psiphon. Google has confirmed that they will block domain fronting across Google domains and App Engine. For many apps and publishers, this represents a step backwards in the fight for internet freedom. While Psiphon has never relied on this Google service, many app developers continued to depend on the practice as a convenient and straightforward means of circumventing state-level censorship, despite the long-running speculation that Google would close this loophole (eg. Will Scott’s blog post in 2017). While the announcement has been met with criticism from internet activists and service providers alike, Google has defended their decision, saying “ domain fronting has never been a supported feature ”. Domain fronting has been a popular means of censorship circumvention for several years, being embraced by popular apps like Signal, who publicly adopted the practice in 2016 . While using Google domain...
Read more

Amid major network disruptions, 1.76M Psiphon users in Belarus

The Psiphon network supported a peak 1.76 million daily active users during significant network interference that started August 9th, a figure that represents nearly 1 in every 3 internet users. A large-scale disruption to international internet access was observed in Belarus, beginning during the contested presidential election on August 9th. Widespread filtering was reported across all Belarusian networks, affecting popular messaging apps including Telegram, Viber, and WhatsApp; social media platforms Facebook, Twitter, Instagram, and Youtube; major app markets including Google Play and the App Store; email providers Gmail, Mail.ru, and Yandex; maps, banking, online media, and many other services. Rolling blackouts of the mobile networks also occurred nightly between 6PM and 6AM. The majority of VPNs were reportedly blocked as a result of generalized SSL/TLS filtering. Tor direct connections were disrupted by the increased network change, while Tor bridge users reached a peak 8,0...
Read more

Cybernews Interview, Psiphon: “the world is becoming more and more privacy-conscious”

Most of us are aware of the necessity of having strong VPN protection in place. But what are the inherent issues with standard VPN applications, and how can they be solved? While choosing the best VPN often comes down to its features, the problem with many of the modern VPN applications concerns easily recognizable traffic in certain Internet environments despite the implemented end-to-end encryption. But what can be done about it? To discuss this matter, we’ve reached out to Alexis Gantous, a member of the Business Development and Operations team at Psiphon Inc, a company that works on providing uncensored Internet access for Windows and mobile devices. How did the idea of creating Psiphon originate? Psiphon was founded out of a research project at the University of Toronto’s Citizen Lab, founder and CEO Michael Hull saw the opportunity to take the original peer-to-peer system and further develop it to fill the needs of millions around the world who face restrictions to their access t...
Read more