In April of this year Localization Lab hosted an Ask Me Anything with the Psiphon team to bridge the gap between end users, contributors and developers, and to highlight what makes this open source circumvention tool so unique in the field of proxy and VPN applications.
Here are some highlights from the event:
How does Psiphon differ from other VPNs and circumvention tools?
Psiphon:
Other VPNs: They're not designed for circumvention, and we are. They typically use a single VPN transport (usually OpenVPN) and only use as many servers as are needed to supply their users. So they can blocked if censors a) block OpenVPN completely, or b) enumerate and block their limited server IP addresses. We have a ton of servers that we're constantly updating, and a lot of differently methods of tunneling users to our servers. Blocking us is super duper hard. Most VPNs are also closed source. You're theoretically not anonymous from your VPN provider, and you have to place a lot of trust in a random third party to tunnel all your traffic there. Their commercial motivations can vary, and may include collecting and monetizing data on users' web traffic or other personally identifying information, and/or sharing it with third parties. Privacy policies should be read carefully, if there even is one.
The Psiphon code base is open source (https://github.com/Psiphon-Labs/) and regularly security audited / subject to peer review. That kind of transparency is pretty rare in the VPN world. You can see that Psiphon (https://psiphon.ca/en/privacy.html) will never log personally identifying information, and only collects aggregated stats from the network.
Other circumvention tools: Depends! We probably have more circumvention tricks than most. We probably have more diverse server strategies than most. We probably have more capacity than most. We're probably easier to use than most...Which is why we're more successful than most, in most places, most of the time.
What are these different methods?
Psiphon: We don't enumerate this anywhere, to make it less easy for censors. But this is a partial answer: https://github.com/Psiphon-Labs/psiphon-tunnel-core/blob/master/psiphon/common/protocol/protocol.go#L33-L43
One individual expressed distrust of free VPNs. Could you share a bit more about the Psiphon and Psiphon Pro applications and why and how you offer a free version of the application? But why would someone invest in Psiphon Pro or Psiphon instead of another paid VPN?
Psiphon: Yeah, it's good to be wary of free stuff, generally. So this is always difficult, especially since we don't talk about our funding sources much. The short answer is: We don't get money from user data (except as it pertains to showing ads). We don't have accounts, we don't look at user data, we don't modify user data.
It depends who/where you are. Those VPNs typically aren't circumvention tools, so no amount of money will give them what we have. If you need to circumvent censorship and don't want ads or limited speed, pay for Psiphon Pro.I think there needs to be better communication/education for users about (benign) government-derived funding for tools like ours (and yours!). Like, ads are obvious, landing pages are obvious, but... OTG/USAGM/whatever funding behind the scenes? Invisible.
How does the cost of Psiphon Pro compare to other competitive VPNs on the market?
Psiphon: Ultimately, free circumvention networks aren't free to run. The number of users online (many millions) and the bandwidth transferred (many petabytes per month) through the network has grown perpetually, and will continue to.
Psiphon Pro was released in 2015, I think partly in response to challenges of sustainability that emerged from large numbers of users from Western countries, on particularly high-bandwidth, (relatively) uncensored networks. It's an ad-supported version of the software that also allows users to subscribe and support the network.
For users in censored societies who shouldn't be expected to pay, and often can't pay, we need to make sure that we're able to offset the cost of users in the US and elsewhere, and allow them to make a contribution to supporting access to the open Internet for everyone else.
Have you ever considered a Linux version?
Psiphon: All the time. But:
a) Every platform multiplies our workload, so has to be carefully considered.
b) There aren't that many Linux users (although there are many influential ones).
c) MacOS will probably come before Linux.
How do Psiphon features and the user experience differ across platforms?
Psiphon: Yeah, heavily. It's an unfortunate side-effect the small, scrappy beginnings of Psiphon. More emphasis was placed on speed-of-implementation than on think-about-later-cross-platform-ness. And originally we had a one-button UI and that's it. And so on. (And we didn't have a graphic designer until very recently.)
So each new platform gets a nicer-looking client, and sometimes we go back and give old platforms a facelift (like Windows). But that's a resource-intensive job. The struggle to defeat censorship takes a lot of work, so if the crappy, inconsistent UI works, then…
But it's primarily just the UI that is different then? Or are there any other differences between the iOS, Android and Windows versions? How do Psiphon features and the user experience differ across platforms?
Psiphon: I didn't actually answer the question. The features don't differ much, really. The circumvention tech is mostly in a common "core" that's shared between all clients. Yeah, mostly the UI. But also stuff like: Right now you can't pay money for the Windows client to get a faster speed, although we're working on it.
Is it true that Psiphon can help users to access contents in case of Internet Shutdown?
Psiphon: Depends on the nature of the shutdown. If it's a literal absolute blackout, then no -- you'll need a mesh or carrier pigeons or something. But if it's something like "block all http/https", then yes, probably. There has been at least one case of us getting around a "shutdown". Maybe Keith remembers the details. If the Internet is shut down, theoretically, there is no Internet. So it doesn't matter how good your circumvention tool is, if you aren't online. As an aside, I'm a fan of the AccessNow #KeepItOn campaign, but it has led us a bit into the weeds with what we mean by "Internet shutdowns". They tend to use a more expansive definition of that includes the blocking of apps or websites, and the Internet still being decidedly "on". I understand that suits their advocacy goals. Not to go too far down into the rabbit hole of terminologies, suffice to say we need to be clear what we mean in each case. I hear people saying "we recommend Psiphon during Internet shutdowns" or "give us OONI data during Internet shutdowns" - only if the Internet was on would these things be possible. I've also heard people talking about "website shutdowns" or "platform shutdowns" or "Internet blackouts" - understandably, it's confusing for the average Internet user. I'm wary about any potential misinformation about censorship events and their very different manifestations and effects.
If a partial Internet shutdown is just blocking, then Psiphon is built for that. There's a cool story of Psiphon working in a total shutdown. There was a case in April 2017 where there was a literal Internet shutdown in Cameroon, targeted at the Anglophone regions in the Northwest and Southwest. They cut off connectivity throughout those regions on or around April 20th. However, through some combination of Internet routing paths and Psiphon infrastructure, Cameroon users were able to get connections through a French ISP, Orange, and came up on the Psiphon network as users in France. I think close to 100,000 users a day were benefiting from this.
Do you have usage data per country/language?
Psiphon: We have region stats internally, but don't typically share them, because we don't want to give the censors info they might not have otherwise, and we don't want to poke any hornets nests.
It would be great to hear more stories like this… We have blogged about events before, like: https://psiphon3.com/en/blog/brazil-whatsapp-2015.html (Although our blog needs work too...)
How does Psiphon differ from Lantern (another proxy that is ‘more than a VPN’)?
Psiphon: I honestly don't know the answer right now -- it's been a while since I've looked at them. Once upon a time they seemed to have more traction than we do in China, but less elsewhere. They had much, much fewer users/traffic than we did, and probably still do. I think they also have fewer circumvention tactics than we do, but I don't know for sure. Once upon a time we shared some tactics, and probably still do.
My big question is, throwing out circumvention and thinking about privacy, where do Lantern, Psiphon and Tor (and other VPNs) sit on a spectrum? For users with censorship and serious privacy / security concerns, how should they approach Psiphon?
Psiphon: That's tough.
Again, it's going to be "it depends". Like, it depends on exactly what the user is worried about -- aka their threat profile.
If they're worried about Facebook knowing who they really are or where they're connecting from, use Tor Browser Bundle. But if they're also in a censored region it's going to be a bit harder (they should use Tor-through-Psiphon). And they shouldn't put anything non-encrypted through Tor, since exit nodes are shady as hell. And it's going to be a slow experience if they try to do much else.
If they're in a non-censored region and are worried about their ISP sniffing their traffic, use any VPN.
If they're in a censored region and getting past censorship is the main concern, use a circumvention tool. And Psiphon is literally the best circumvention tool.
What is Psicash and how does it work for users of Psiphon for iOS?
Psiphon: It's also coming for Android and Windows soon-ish.
PsiCash is a way for users to get a better Psiphon experience either via money or activities, like watching rewarded videos or checking out our web stuff. Like, "watch a few videos, get enough PsiCash to get Speed Boost".
Domain fronting emerged as a popular, but relatively low-hanging, circumvention technique some years ago. In the sense that app developers could put a big old "Google" or "Amazon" in the header of their traffic, and it would fool a lot of censors. It saved those developers from having to use a bespoke solutions, like run their own circumvention network. Signal was one of the apps doing it this way, through Google App Engine (which didn't work in Iran and some other places). Domain fronting in this was more of a loophole or exploit in the infrastructure than something they (Google, Amazon, Cloudflare), ever openly supported. As was revealed during the frenzied attempt to block Telegram in Russia, blocking random Google and Amazon IP addresses willy-nilly caused a lot of collateral damage on those services, and affected their customers and commercial relationships. It's understandable that they closed this down, any 'advice' from China was probably secondary.
It's still a relatively useful circumvention technique and was / is used in Psiphon. With the key difference we have a relationship and a mutual understanding with the domain providers we use. We published a blog post about that in 2018: http://blog-en.psiphon.ca/2018/04/why-you-dont-need-googles-domain.html
ProtonVPN?
Psiphon: ProtonVPN is a non-cirumvention VPN. Specifically, OpenVPN-based. If OpenVPN is blocked (which is trivial), ProtonVPN is blocked. Also, probably not open-source. Again, if you're in a not-heavily-censored region and you just want to bypass your ISP, and doing care about open-source-ness, then use whatever VPN is cheap, has decent claims, and hasn't yet gotten caught handing over logs without a warrant.
Why does Psiphon have a CLA?
Psiphon: https://crypti.cc/blog/2015/02/17/contributor-license-agreement.html
What your take on WireGuard since most of people from InfoSec use them in their work and also it is included in many security tools & OS'es. Are you planning to offer split-tunneling in psiphon since some VPN do offer them?
Psiphon: WireGuard is great, in the sense that it's faster than OpenVPN. But it's just as blockable. It needs to be combined with circumvention tactics to be a useful in censored regions.
We have split-tunnel on Windows, but nowhere else. We need to evaluate its utility/desirability.
Just very recently I contributed some translation to [the Psipon Inauthentic Downloads Survey]…It would be nice to read its results. Do you plan to publish it?
Psiphon: Basically, Android allows users to install apps directly downloaded from various sources ("sideloading"). Unlike on iOS where all app installations come from the official App Store and are audited and officially verified. Android users can (and do) turn to all kinds of unofficial sources for apps, from 3rd party app stores to random sketchy filesharing links. Sideloading was definitely a benefit from the perspective of the Google Play store in the past not being offered in Iran and several other countries, the ability of censors to block our websites, we could always fall back on distributing the software via email responders (and they're still widely used). Sometime in 2014 (or maybe before) numerous 'bootlegged' versions of Psiphon began to appear and be distributed on social media, online forums, sketchy links etc. Some indie developer would take a version of Psiphon, unpack it, maybe strip out or add some features, like a UI extra menus, put their name at the top, and recompile the .apk and distribute it. eg:
Unfortunately, a bad actor can also appropriate the Psiphon name, logo, icon, maybe even a version of the app itself. Going back to 2013, there have been a few cases of malicious versions of Psiphon that were found and distributed to a targeted community, eg:
https://citizenlab.ca/2014/03/maliciously-repackaged-psiphon/
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
https://www.qurium.org/wp-content/uploads/2018/02/QMF_tracking_mobile_spyware_iran_rc1.2.pdf
There's not much we can do to prevent users from downloading an app that may or may not be Psiphon from a site outside of our control. We always tell users - only download Psiphon from the official sources: the Google Play store / app store, our official download site(s), and the email responders. If you've gotten an app from outside the official sources, the only way to tell that it hasn't been tampered with is to authenticate the digital signature. When it's last compiled, it's verified by that developer with a signature. It can't be forged. https://psiphon.ca/en/faq.html#authentic-android
https://psiphon.ca/en/faq.html#authentic-windows
I haven't read everything above about inauthentic apps, but I'll add: It's a super hard problem! There are a few mutually-confounding factors:
Decompiling and repackaging apps is super easy. This can be done by people who want a flashier skin or by people with malicious intent.
We need Psiphon to be available every which way. Multiple download sites, email responders, app stores. If we were only available via app stores, it'd be easy to tell users what to do. But app stores get blocked frequently, and are completely unavailable in some places.
We're super popular! So we're also a popular target for inauthentic chicanery.
We're constantly asking the app stores to take down fake apps with our name. We tell users how to check authenticity (https://psiphon3.com/en/faq.html#verify-psiphon-authentic). We think a lot about how to stop or disrupt fake apps. But it's a really, really hard problem that's not going to go away and will probably never have a magic bullet.