As part of our ongoing commitment to achieving the highest standards of transparency and security, Psiphon commissioned 7ASecurity to conduct a security review of its code base related to four new Psiphon enhancements. The resulting report is public and can be found at: https://7asecurity.com/reports/pentest-report_psiphon-e.pdf.
Using a “white box” approach, meaning the complete source code was available, the security team set out to determine Psiphon’s adherence to secure coding best practices, and to provide safeguard recommendations, where appropriate, based on their findings. The security team used a variety of tools and methods against all Psiphon source code and third party libraries. Network traffic was also analyzed to identify potential attack vectors, fingerprinting and Psiphon’s behaviour under attack.
The team’s conclusions were that:
“The Psiphon platform was found to be resilient to a broad range of attack vectors and provided an overall solid impression.
This reflects well on the team behind the solution. 7ASecurity detected only 1 security vulnerability of low severity. Hence, no significant security flaws could be identified during this assignment. The remaining 4 findings were classified as miscellaneous weaknesses and thus, not considered as vulnerabilities.”
Psiphon’s code base is open source, and can be accessed on GitHub. Previous security audits of Psiphon’s code can be found via our website and on the Psiphon blog.
We thank the 7ASecurity team’s efforts and are pleased that Psiphon’s software engineers and source code continue to be so well regarded.