Psiphon is a tool that aims to defeat internet censorship. Originally dubbed XP Psiphon, it does so by connecting a Windows desktop or Android device to the Psiphon censorship-circumvention network expressly for the purpose of circumventing internet censorship measures. It’s aimed to help the citizens of countries deemed enemies of the Internet to ensure the entire internet is available, but Psiphon can be used anywhere internet access is being curtailed.

A word about Psiphon and privacy

To set the proper expectation, Psiphon states at the very top of its privacy policy the following:

Specifically, Psiphon:

  • Uses (injects) ads to support the service which use cookies and web beacons
  • Occasionally records additional usage data which will be disclosed on its Privacy Bulletin
  • Shares access data with its partners so they can see how often their sites are visited and from where
  • Runs all of the Psiphon servers itself, although the code is open source and available on GitHub

If these drawbacks are not acceptable to you, it makes more sense to choose a good paid VPN service or TOR. If you want both privacy and anonymity combine both.

Overview

There is an understandable inclination to label VPNs and Psiphon as the same technology. They have different aims, though. When using a VPN, the act of using it is typically not hidden, but the contents of what you’re doing are. There are obfuscation techniques that can be used such as Obfsproxy, or even just putting and OpenVPN server on port 443 goes a long way to hiding it within normal HTTPS traffic. But, it doesn’t always work. Even the TOR browser is easily detected by ISPs and can draw unwanted attention.

Psiphon’s main aim is to hide the fact that it is being used at all. Governments or other organizations attempting to censor the internet will try to detect circumvention methods like VPNs and proxies, which is what Psiphon seeks to avoid.

Psiphon clients are current available for Windows and Android and connect to the Psiphon network through a variety of transport protocols. I asked the Psiphon folks how the protocol selection worked and received this response:

When pressed for more information, the Psiphon group explained in a little more detail:

Based on older documents, I suspect that SSH+ (SSH plus an obfuscation layer) at least is used which helps protect against protocol fingerprinting.

How to get Psiphon

Psiphon was originally made for Windows XP, so in many places you’ll see it referred to as “xp psiphon”. It later expanded to Android and newer versions of Windows.

The following versions were used in writing this article, it’s not clear to me why the Windows and Android versions have different names:

Android

  • Psiphon Pro
  • client version 146

Windows

  • Psiphon 3
  • client version 117

You can get the Psiphon client in two ways. Visiting the Psiphon website or by sending an email to get@psiphon3.com. I wasn’t able to get a response from get@psiphon3.com, but Psiphon support confirmed that it works so that may have just been something specific to me.

The Psiphon Windows client

In order to make Psiphon available to the widest audience, there is no installation process. The single file download is a Windows executable that runs on Windows XP, Vista, 7 and 8.

Installing the Windows client

Given the nature of the application, it makes sense that opposing parties may try to distribute a compromised version of the Psiphon client. To avoid that, the Psiphon team maintains a list of SHA-1 hashes that can be used to verify that the Psiphon client you’ve downloaded is valid.

SHA-1 hasn’t been considered a secure cryptographic solution against well-funded opponents for years, but it is still valid as a data consistency check to ensure that the file you have has not been tampered with.

Navigate to the Psiphon website at http://www.psiphon.ca and click the Download button.

Select the Windows option.

You can verify the SHA-1 hash by using the instructions here. Keep in mind that different versions of the client have different hashes, so be sure you’re looking at the right one.

Running the Windows client

Once you’re happy with the file, simply double-click it to launch it. Psiphon will immediately connect.

By default, the Windows client will connect in browser only mode and then launch the Psiphon browser with a Psiphon sponsor page loaded. This mode only tunnels traffic from the Psiphon browser through the Psiphon network.

To disconnect Psiphon, click the Disconnect button.

The main settings page shows an overview of the available sections. Expanding any section reveals changes you can make to the operation of the Psiphon client.

Configuring the Windows client

Minimize to system tray

This hardly seems to need its own settings page. By default the client stays on the screen once it is connected. If you’d like it to get out of your way and minimize to the system tray you can check the box in this pane.

Split tunnel

This is an interesting feature. Psiphon notes that even in the most censored countries, sites within the country are usually not censored. Since it is generally slower to access the internet using Psiphon, you can enable this feature to split your regional traffic. Traffic destined for your home country will not go through Psiphon, instead travelling over your default ISP network.

Disable timeouts for slow networks

Because you are connecting to Psiphon servers in other countries, and using obfuscation technologies, your connection can be slow. If the connection is too slow, then the Psiphon client may disconnect. Enabling this feature will prevent that from happening.

Psiphon server region

The default setting is Fastest Country which will connect you to the best server. That will generally be a country close to your own. If you’d prefer to connect to a different country you can select it here.

There are nine different countries to select from with a fair spread across the world:

  • Canada
  • Germany
  • Spain
  • United Kingdom
  • India
  • Japan
  • Netherlands
  • Singapore
  • United States

Local proxy ports

Psiphon will automatically set up an HTTP proxy which will work for most people. However, it may not use the same port every time. You may have applications on your computer that you want to use Psiphon with, which means it will need to send traffic over a specific port. You can set that up in this pane.

Upstream proxy

There’s a few reasons for the settings here. If your computer has a proxy configured you can tell Psiphon to use a different proxy or you can set check the Don’t use upstream proxy box to tell Psiphon to not use any proxy at all.

Transport mode

This setting should be named Use VPN. Enabling this setting will launch an L2TP/IPSec VPN connection to the Psiphon servers. The advantage of this is that it will tunnel all of the traffic on your computer through Psiphon instead of just web traffic. The downside is that a VPN is obvious so it is easy to block.

Tests at IP Leak show that the browser mode will leak your IP address via webRTC detection but not in VPN mode. There are Android screenshots of both later in the Android section.

The Psiphon Android client

Installing the Android client

The Google Play store has different apps in different countries. It’s possible that the Psiphon app is not available in your country’s version of Google Play. In that case, you can side load the app which means you can copy it into your device via USB instead of installing it from the Play store.

The Psiphon website has links and QR codes to the app in both the Google Play store and the side load version.

Because installing applications from unknown sources onto your Android device is a security risk, you’ll have to specifically enable that option. Each version of Android is slightly different, but the option will be somewhere in your security settings.

In a Samsung S6 with Android 6.0.1, it is the Settings -> Lock screen and security -> Unknown sources setting.

To see if the Psiphon client is available in your country’s Google Play store, simply search for it. Be aware that there are other similarly named apps which are not what you want. Be sure the application you install is from developer Psiphon Inc.

Running the Android client

Once the application is installed, tap it to launch it. The first thing I noticed is that there’s a very concerted effort to make money with the app. There are a lot of ads and there are also many options to purchase more speed. The free version of the Android app is limited to 2Mb per second which is usable for surfing the web, but probably not enough to stream video, game online, or download large files.

These ads help cover the cost of running the servers.

Clicking the Upgrade Now! button exposes many different options to purchase more speed.

To connect, tap the Start button and a browser will launch. The browser application that launches depends on how you’ve connected to Psiphon. If you’ve selected the Tunnel whole device option, which is described below, then your default browser will launch. If you’ve left that option disabled, then the built-in Psiphon browser will launch instead.

The reason for this difference is that the Psiphon browser is configured to use the Psiphon proxy whereas your default browser is not. Therefore, it is only safe to use the default browser if the entire device is being tunnelled through Psiphon.

When the app is connected, the Start button changes to a Stop button. To disconnect, tap the Stop button.

Configuring the Android client

Tap the Options item in the top menu to load a small set of options.

Select region

This setting defaults to the Best performance option that allows Psiphon to select the fastest connection for you. However, you can override this by selecting any country. This setting works regardless of what mode Psiphon uses to connect.

Tunnel whole device (requires Android 4.0+)

This should be named Use VPN. When this is disabled, only the Psiphon browser is tunnelled through Psiphon. Enabling this option turns on a VPN that tunnels all of your traffic through the Psiphon network.

Pulling down the Android shade menu from the top of your phone while Psiphon is running will confirm what mode it is running in. If only the browser is using Psiphon it will show that it is running in browser-only mode.

Tests at IP Leak show that the browser mode will leak your IP address via webRTC detection. Note that I am using the Japan Psiphon server but I am physically in Canada, Nova Scotia.

However, in VPN mode, there is no IP leak.

If you select the option to tunnel the whole device, Android will give you a warning that Psiphon is trying to route all your internet traffic and require your permission to do so.

If you allow that and the connection is made, then the shade will confirm that is the type of connection running.

Which will expose a longer list of settings.

Like the Windows setting, enabling this option will make the Psiphon client more tolerant of network latency and make it slower to disconnect.

Clicking the More Options button exposes more settings.

Sound

Enabling this will cause your Android to make a noise when the connection starts or stops. This can be useful if you want to know when your connection drops.

Vibrate

Much like the Sound setting above, this setting will cause the phone to vibrate when the connection status changes.

Exclude Apps

This is a very handy feature and I was surprised to find it in the Psiphon app. It allows you to nominate apps that will not use Psiphon. This can be useful for applications that are location sensitive such as your bank as you won’t have to remember to disconnect to use those applications.

Connect through an HTTP proxy

The remainder of the settings are disabled unless you enable this checkbox. It allows you to enter settings which instruct Psiphon to use an HTTP proxy.

Custom HTTP headers

This setting allows the addition of HTTP headers. While there are a myriad of uses for custom HTTP headers on the internet at large, I am not sure why the feature would be included in a censorship circumvention application.

Use system network settings and Use the following settings

Only one of these can be enabled. The first one will simply use any proxy settings that already exist in your phone. The second option enables the following settings to set up a proxy for Psiphon to use:

Host address, Port, and Use proxy authentication

If you’ve enabled the second option above, then you’ll need to provide the proxy host address, port, and specify if the proxy requires authentication.

Proxy username, Proxy password, and Proxy domain

If you’ve selected proxy authentication above, then you’ll need to supply the credentials for it here.

Configuring the built-in Psiphon browser

If you’re not tunnelling the whole device (AKA: not using the VPN option) then you’ll want to use the built-in Psiphon browser to access the Internet. It’s a very rudimentary browser but it gets the job done.

Home page

As it sounds, you can set a custom home page here or you can set the home page to a blank page. In other browsers the term home page means the page that will be loaded when the browser launches. That does not seem to be the case with the Psiphon browser. Regardless of the home page I entered, the Psiphon page loaded first. I had to manually press the Psiphon button to the left of the address bar and select Home page to get to my home page.

Search url

Entering anything that is not a recognizable web address into the address bar will cause the Psiphon browser to search for it. This setting controls where it teaches and is preset to Google. You can change this to any search engine you’d like as long as you can figure out the syntax the search engine expects. If you take a look at the default Google entry you’ll see how to construct that.

User interface settings

This pane contains various settings to control how the browser looks. You can set it to fullscreen, determine how long toolbars should display, set what the volume keys do, and other tweaks.

Start page customization

The start page is the page that loads when the browser first launches. By selecting checkboxes, you can cause the start page to contain different panels of information such as a search bar, your most used bookmarks, and recent history items.

Firefox bookmarks synchronization

This purports to be a handy feature that will grab your bookmarks from Firefox and load them into the Psiphon browser. However, when setting up the sync Psiphon asks for a Firefox username, password and your sync key. The sync key is stored on each device and is not available from the Firefox account interface. I attempted to recover the sync key from my system using various techniques such as Password Fox to read my profile but was unable to. Whether this feature is worth the work depends on your needs.

Default zoom level

Some sites are hard to read on a mobile device so you can set the zoom level here to assist with that. The browser supports pinch and zoom already, so it doesn’t seem that this setting would need to be used much.

User agent

A user agent is a string that is sent along with every web request that tells the receiving web server what browser is being used. While user agent strings are very detailed and usually contain the operating system and browser being used, they are primarily used to determine if the website visitor is on a mobile device or a desktop. Many websites will format their content differently for mobile devices to make it easier to read.

This setting allows you to tell the Psiphon browser to send a mobile or desktop user agent all the time. It also allows you to set a custom agent so you can appear to be using any browser you want.

I tested the default user agent using my own logs and see that it does not identify it as a Psiphon browser. It reports to be Chrome on Android. This type of obfuscation makes sense for an application like Psiphon:

Enable Javascript

192.84.101.6 - - [21/Dec/2016:09:21:37 -0400] “GET /2015/11/01/jon-watson/ HTTP/1.1” 200 7447 “-” “Mozilla/5.0 (Linux; Android 6.0.1; SM-G925W8 Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36”

Javascript runs on the client device (the Android phone in this case) and therefore has access to some local information that a website would not have. It’s possible to determine more about your website visitor with Javascript than you might think. Unchecking this box will prevent any Javascript from executing which can make the web harder to use, but provides more security and privacy.

Load images

You may wish to disable this option if it slows down your connection too much. There is not much security value in disabling this, but it can help with an already slow Psiphon connection.

Use wide viewport

This setting allows the Psiphon browser to attempt to load the website with a wider view which makes it more similar to what it would looks like on a desktop computer.

Load pages with overview

Pages will load zoomed out so you can see the whole thing if this is checked. The page may be unreadable until you zoom in, but it will allow you to get a sense of the page and some context.

Restore tabs

Enabling this setting will cause the Psiphon browser to restore the tabs that were opened the last time you used it.

Enable plugins

You can use this screen to set the plugin behaviour. Plugins can be allowed to run all the time, only when requested, or never.

Privacy settings

Standard privacy settings such as saving your passwords and history, as well as clearing your cookies and form data are found in this page.

Manage websites

The Google Web Toolkit is a framework for developing websites with a responsive layout. Adding sites to this list will cause them to be loaded using Google mobile view with the Google Web Toolkit.

Desktop mode list

Sites listed here will be requested with a desktop user agent to ensure they load the desktop version of the site.

Manage bookmarks and history

This page allows you to import, export, and clear your bookmarks and history.

About and Changelog

These are standard pages that provide information about the browser such as the version and a history of changes to the application.