Skip to main content

Psiphon Completes Another Third Party Security Review

In late June 2017, Psiphon continued to prove its commitment to open source development (you can access our code repository here), by commissioning Cure53 to perform a security audit of our services. The security review took 22 days and a total of 9 testers to complete what was described as a review with a “vast scope” and the Cure53 testers were very thorough. This is our 2nd security audit of this kind in 3 years (you can see the results of the 1st one, performed by iSec here).
The report’s description of what was included in the scope reads:
“In scope were multiple components of the Psiphon software compound, including the tunnel-core client and server, the library glue, the Psiphon iOS app and, last but not least, the Psiphon iOS browser. This very broad premise and scope explain the necessity for involving a rather large number of testers with properly matched expertise in different arenas. In sum, the tests included code audits, actual penetration tests, protocol and configuration reviews, and a cryptographic audit."
We are very happy with the results of the security audit and proud to relay that “no noteworthy security risks could be unveiled” (pg.19). In the spirit of transparency you can read the full detailed report in pdf form here. Of the two vulnerabilities found, one has already been fixed (and confirmed by Cure53) and steps have been taken to address the other in upcoming releases.
The testers also noted 7 other miscellaneous issues that you can find listed in the report, four of these have also already been addressed.
The testers shared a conviction that the software compound greatly benefitted from a number of software security audits in the past. Needless to say, this is reflected in findings. Among the total nine issues discovered, only two were marked as security vulnerabilities and were further ascribed with the lowest “Informational” severity ranking.”
The Cure53 testers noted several times throughout the report how clean and quality driven the code is and came to the following conclusion:
“Despite investing considerable time and personnel resources into attempting a compromise, the Psiphon components in scope held up to scrutiny and presented themselves strong and robust in face of adversarial efforts. The bottom line is that no noteworthy security risks could be unveiled.”

We hope that you will find this report interesting, and that it will assure you of our commitment to providing first-class software that will always be open source and secure.

Popular posts from this blog

Social Media and Internet Ban in Turkey

Following the detainment of 12 pro-Kurdish lawmakers from the Peoples’ Democratic Party (HDP) in the early hours of November 4 th , Facebook, Twitter, Instagram, YouTube, WhatsApp and Skype were blocked in Turkey . There were reports that Turk Telekom internet provider completely disabled access to the internet or throttled the connection to the point that it was impossible to connect. Despite lack of official decision about the restrictions, and BTK’s explanation that there was a technical problem throughout Turkey, Prime Minister Binali Yildirim made a statement later in the day and said “For security reasons, these kinds of measures can be taken time to time. These are temporary measures. Everything goes back to normal after the danger is eliminated.” Social media and internet bans ended the following evening in most of the country, but there were still some short-term connection problems during the weekend in some regions, and it was reported that some Turk Telekom users

Psiphon Usage Surges as Brazil Blocks WhatsApp

At 9PM ET on December 16th WhatsApp was blocked in Brazil . The ban came after a judge ordered that the messenger app be blocked for 48 hours when the company refused to hand over private user information related to a criminal case. For months, Brazilian telecommunications companies have been attempting to shut down WhatsApp because it provides free messaging and voice services. WhatsApp is the most popular messenger service in Brazil and telecoms blame it for luring millions away from paid cell phone use. Internet users in Brazil reacted strongly to the ban, criticizing the decision to block WhatsApp widely on social media. Millions turned to alternate messenger services and shared circumvention techniques over social media. Psiphon was praised by people in Brazil for being free, open source, and able to keep them connected throughout the blocking event. Psiphon’s surge capacity was able to cope with the increased demand, with peak data use of more than 8x that of a normal day. Psip

Amid major network disruptions, 1.76M Psiphon users in Belarus

The Psiphon network supported a peak 1.76 million daily active users during significant network interference that started August 9th, a figure that represents nearly 1 in every 3 internet users. A large-scale disruption to international internet access was observed in Belarus, beginning during the contested presidential election on August 9th. Widespread filtering was reported across all Belarusian networks, affecting popular messaging apps including Telegram, Viber, and WhatsApp; social media platforms Facebook, Twitter, Instagram, and Youtube; major app markets including Google Play and the App Store; email providers Gmail,, and Yandex; maps, banking, online media, and many other services. Rolling blackouts of the mobile networks also occurred nightly between 6PM and 6AM. The majority of VPNs were reportedly blocked as a result of generalized SSL/TLS filtering. Tor direct connections were disrupted by the increased network change, while Tor bridge users reached a peak 8,0