Psiphon, Part I: Why You Need This Open Source, Personal Secure Proxy Server

作者:R L Kohler 来源:Nubility.Net

Psiphon is a a new way to help people cut through firewalls. You should be using it if you surf wirelessly away from home, or in a location where firewalls stop you from going to places you would like to go on the Web.

Psiphon is a personal, secure proxy
& anti-censorship Tool
(opens in new window)

It was designed to circumvent censorship in repressive countries (typical article here; you can also find the New York Times Article still available here). In addition to helping your friends and relatives circumvent censorship, you need this application to secure your web browsing at StarBucks from prying eyes and to get around firewalls. Its easy to install, configure and use, but there are a few things you should know to get the most use out of this service and protect yourself.

How Psiphon works. Psiphon is installed on your computer at home, and it acts as a secure web proxy, allowing people to securely log into your PC using the Psiphon service, the go on to other web sites. Governments setting up firewalls (e.g the People’s Republic of China) or monitoring the end user (e.g. the guy at the table next to them at Starbucks, or the National Security Agency) see only the the address of your home PC, and they don’t see the data, because its encrypted using SSL (Secure Socket Layer, Port 443).

Who’s Responsible for Psiphon? Psiphon is written and maintained (and it is currently maintained) by the The Munk Center For International Studies, which is part of the University of Toronto. Its funded by the Open Society Institute (which is part of the Soros Foundation).
Use Under Repressive Regimes. Here’s how Psiphon is intended to work to counter the censorship of repressive regimes in more detail:

  1. You (person in free country) install and configure Psiphon (configuration guide here).
  2. You set up an account for your friends/relatives on your PC, and give them the user name, password and the Internet Protocol (IP) address of your PC at home.
  3. Your friends install nothing on their computer (though separately, I’d recommend using FireFox for this, as I recommend for everything)
  4. Your friends surf to the address you gave them, and they log in to the Psiphon service, using SSL Your friends read the New York Times or Wikipedia, and learn what’s going on in the world
  5. Your friends clear their caches when they exit, and there is little trace on their system of where they went.
  6. Your friend’s Government can’t easily look up where your proxy is, so its very hard for them to block the address (though I believe that this is a bit of a stopgap measure, and they will eventually be able to easily do so. For instance, they could block all addresses in the Verizon home DSL block).

The upshot is that there is no real way to see where your friends are really surfing, or that they are even doing anything in violation of oppressive state dictates (like reading the Bible, Slate or Salon).

Psiphon works in the midst of censorship because:

  • SSL is “Secure”. Its 128 Bit encryption, which is standard in banking, though less than the United States Government requires in its important transactions (they use at least 192 bit encryption). Thus, while less secure than I would have chosen for the standard, this remains secure enough to keep all but the very determined adversary out of your business. If a major Government (e.g. The United States National Security Agency) was determined to read your session, they could eventually do so, however).
  • SSL is Necessary. The SSL Port has many legitimate uses, even in repressive nations, such as banking, credit card transactions, password and account transactions where there’s anything significant on the line. Even repressive regimes can’t live without SSL these days.
  • Anonymous Destination. The censors don’t know that your home PC is acting as a secure web proxy for your friends, and there is virtually no way to tell that you are doing so. The best that they can do is to determine that your address is part of a consumer ISP pool.

Benefits to You. What Psiphon can do for you (who are probably in a Free-Nation with a StarBucks):

  • Stops people from eavesdropping on your web surfing during wireless sessions when you can’t use a secure connection (or if others know your key, as is the case in some WEP setups)
  • Stops people from eavesdropping on your web surfing where the connection is suspect (e.g. at Hotels, where the connection is monitored)
  • Leads eavesdroppers to believe that your (secure) destination is your home address, rather than your true destination
  • Circumvents firewalls that prohibit you from accessing some sites (e.g. public library, your office)
  • Since it runs on your machine, you are in control of the Proxy, determine who can log in and who knows about the service you’ve set up.

NOTE: Using Psiphon as a secure proxy is fundamentally better than using open, unsecure proxies such as NinjaProxy. Psiphon is better because it stops both destination snooping (like unsecure proxies) and content snooping (which the unsecure proxies do not).
Drawbacks. From the perspective of the Free-Nation user, there are several drawbacks (or, ways to improve it) to Psiphon:

  • This works only for unsecured (http://) web sites right now. Thus, you can’t use Psiphon to circumvent access to https:// web sites
  • Site traffic of people using Psiphon appears to your ISP and the sites you visit to be coming from you.. Thus, if the RIAA tracks web traffic to your PC, it could have originated from any of your friends. Lesson: Only give your Psiphon login info to people you trust.
  • Psiphon doesn’t encrypt all traffic to/from your PC as a Virtual Private Network (VPN) would. Thus, your non-web surfing would remain vulnerable, including checking your email via POP, instant messaging and FTP. Please check out more robust options for Secure Wireless Browsing Away From Home.
  • Using Psiphon is bandwidth inefficient, since it makes two connections two/from your PC when the user could otherwise go directly there. Thus, all users are using your bandwidth–twice.
  • Handing out your Psiphon service indiscriminately may very well bring your available bandwidth to its knees, because all those other users would be using your bandwidth–twice.
  • Using Psiphon may violate your Internet Service Provider’s Terms of Service (but so may using a home router, configuring your wireless without encryption, sharing service with your neighbor or going over your “unlimited” bandwidth limit).
  • Using Psipon to circumvent censorship is illegal in some countries. Assisting others is also illegal in some countries. (But then you don’t obey unjust laws, do you?)
  • Using Psiphon from your work may violate your terms of employment from several perspectives. This is reviewed in Securely Browsing from Someone Else’s Computer (e.g. don’t go places your employer doesn’t want you to).
  • If you share your Psiphon service with others, they will be using your bandwidth — both upload and download, because the request goes in to your PC and again out back to their origination.
  • There is a log tab, as you will see in part II of this article, but this log doesn’t tell you who logged in or where they went. It does separately tell you something about when each user last accessed it, but that’s it. In the event of an untoward allegation by law enforcement, you’d like to be able to demonstrate that you weren’t the one visiting the site in question. However, now you only have reasonable doubt and deniability.
  • Kids can use this to get around pretty much any firewall parents, schools or libraries set up. Of course this applies equally if the kid’s neighbors set it up as if you do (and give her an account).

These drawbacks mean that Psiphon is really useful to those attempting to avoid censorship — and very dangerous to ANYONE attempting to censor users (e.g. China, your office, Cupertino High School). However, its not a security panacea, and you should choose your friends wisely for many reasons.

Other anti-censorship options. There are several other anti-censorship options available. You can find a good article on the viability of those options here. My summary of that article is that all anti-censorship solutions work only if the censors are lazy (and I agree). Also — not covered by the article — Psiphon is the easiest of the bunch to install and configure, it works as wellas or better than the others, and its more responsive than the others.

Recommendations: I recommend that if you are moderately technologically savvy, that you:

  • Use Psiphon to keep your surfing secure and to assist your friends and relatives to circumvent censorship, especially when surfing in an unsecure wireless connection or a connection you don’t trust, such as some hotels.
  • Password protect accounts don’t hand out access to the accounts lightly