Psiphon is a tool that aims to defeat internet censorship. Originally dubbed XP Psiphon, it does so by connecting a Windows desktop or Android device to the Psiphon censorship-circumvention network expressly for the purpose of circumventing internet censorship measures. It’s aimed to help the citizens of countries deemed
A word about Psiphon and privacy
Psiphon does not increase your online privacy, and should not be considered or used as an online security tool.
- Occasionally records additional usage data which will be disclosed on its Privacy Bulletin
- Shares access data with its partners so they can see how often their sites are visited and from where
- Runs all of the Psiphon servers itself, although the code is open source and available on GitHub
Related: What’s the best VPN for Tor and how to combine them.
There is an understandable inclination to label VPNs and Psiphon as the same technology. They have different aims, though. When using a VPN, the act of using it is typically not hidden, but the contents of what you’re doing are. There are obfuscation techniques that can be used such as Obfsproxy, or even just putting and OpenVPN server on port 443 goes a long way to hiding it within normal HTTPS traffic. But, it doesn’t always work. Even the TOR browser is easily detected by ISPs and can draw unwanted attention.
Psiphon’s main aim is to hide the fact that it is being used at all. Governments or other organizations attempting to censor the internet will try to detect circumvention methods like VPNs and proxies, which is what Psiphon seeks to avoid.
Psiphon clients are current available for Windows and Android and connect to the Psiphon network through a variety of transport protocols. I asked the Psiphon folks how the protocol selection worked and received this response:
Both the Android and Windows clients automatically select the best transport protocol to use to connect to a Psiphon server. SSH is one of several protocols that the client may use. There is no user setting available to choose a specific transport protocol.
When pressed for more information, the Psiphon group explained in a little more detail:
With the exception of VPN mode on Windows, Psiphon always uses SSH as the underlying transport protocol. Various different obfuscation techniques are layered on top of the standard SSH protocol. The client attempts to connect using all available methods, and chooses the fastest successful connection.
Based on older documents, I suspect that SSH+ (SSH plus an obfuscation layer) at least is used which helps protect against protocol fingerprinting.
How to get Psiphon
Psiphon was originally made for Windows XP, so in many places you’ll see it referred to as “xp psiphon”. It later expanded to Android and newer versions of Windows.
The following versions were used in writing this article, it’s not clear to me why the Windows and Android versions have different names:
- Psiphon Pro
- client version 146
- Psiphon 3
- client version 117
You can get the Psiphon client in two ways. Visiting the Psiphon website or by sending an email to firstname.lastname@example.org. I wasn’t able to get a response from email@example.com, but Psiphon support confirmed that it works so that may have just been something specific to me.
The Psiphon Windows client
In order to make Psiphon available to the widest audience, there is no installation process. The single file download is a Windows executable that runs on Windows XP, Vista, 7 and 8.
Installing the Windows client
Given the nature of the application, it makes sense that opposing parties may try to distribute a compromised version of the Psiphon client. To avoid that, the Psiphon team maintains a list of SHA-1 hashes that can be used to verify that the Psiphon client you’ve downloaded is valid.
SHA-1 hasn’t been considered a secure cryptographic solution against well-funded opponents for years, but it is still valid as a data consistency check to ensure that the file you have has not been tampered with.
Navigate to the Psiphon website at http://www.psiphon.ca and click the Download button.
Select the Windows option.
You can verify the SHA-1 hash by using the instructions here. Keep in mind that different versions of the client have different hashes, so be sure you’re looking at the right one.
Running the Windows client
Once you’re happy with the file, simply double-click it to launch it. Psiphon will immediately connect.
By default, the Windows client will connect in browser only mode and then launch the Psiphon browser with a Psiphon sponsor page loaded. This mode only tunnels traffic from the Psiphon browser through the Psiphon network.
To disconnect Psiphon, click the Disconnect button.
The main settings page shows an overview of the available sections. Expanding any section reveals changes you can make to the operation of the Psiphon client.
Configuring the Windows client
Minimize to system tray
This hardly seems to need its own settings page. By default the client stays on the screen once it is connected. If you’d like it to get out of your way and minimize to the system tray you can check the box in this pane.
This is an interesting feature. Psiphon notes that even in the most censored countries, sites within the country are usually not censored. Since it is generally slower to access the internet using Psiphon, you can enable this feature to
split your regional traffic. Traffic destined for your home country will not go through Psiphon, instead travelling over your default ISP network.
Disable timeouts for slow networks
Because you are connecting to Psiphon servers in other countries, and using obfuscation technologies, your connection can be slow. If the connection is too slow, then the Psiphon client may disconnect. Enabling this feature will prevent that from happening.
Psiphon server region
The default setting is Fastest Country which will connect you to the best server. That will generally be a country close to your own. If you’d prefer to connect to a different country you can select it here.
There are nine different countries to select from with a fair spread across the world:
- United Kingdom
- United States
Local proxy ports
Psiphon will automatically set up an HTTP proxy which will work for most people. However, it may not use the same port every time. You may have applications on your computer that you want to use Psiphon with, which means it will need to send traffic over a specific port. You can set that up in this pane.
There’s a few reasons for the settings here. If your computer has a proxy configured you can tell Psiphon to use a different proxy or you can set check the Don’t use upstream proxy box to tell Psiphon to not use any proxy at all.
This setting should be named
Use VPN. Enabling this setting will launch an L2TP/IPSec VPN connection to the Psiphon servers. The advantage of this is that it will tunnel all of the traffic on your computer through Psiphon instead of just web traffic. The downside is that a VPN is obvious so it is easy to block.
The Psiphon Android client
Installing the Android client
The Google Play store has different apps in different countries. It’s possible that the Psiphon app is not available in your country’s version of Google Play. In that case, you can side load the app which means you can copy it into your device via USB instead of installing it from the Play store.
The Psiphon website has links and QR codes to the app in both the Google Play store and the side load version.
Because installing applications from unknown sources onto your Android device is a security risk, you’ll have to specifically enable that option. Each version of Android is slightly different, but the option will be somewhere in your security settings.
In a Samsung S6 with Android 6.0.1, it is the Settings -> Lock screen and security -> Unknown sources setting.
To see if the Psiphon client is available in your country’s Google Play store, simply search for it. Be aware that there are other similarly named apps which are not what you want. Be sure the application you install is from developer Psiphon Inc.
Running the Android client
Once the application is installed, tap it to launch it. The first thing I noticed is that there’s a very concerted effort to make money with the app. There are a lot of ads and there are also many options to purchase more speed. The free version of the Android app is limited to 2Mb per second which is usable for surfing the web, but probably not enough to stream video, game online, or download large files.
These ads help cover the cost of running the servers.
Upgrade Now! button exposes many different options to purchase more speed.
To connect, tap the Start button and a browser will launch. The browser application that launches depends on how you’ve connected to Psiphon. If you’ve selected the
Tunnel whole device option, which is described below, then your default browser will launch. If you’ve left that option disabled, then the built-in Psiphon browser will launch instead.
The reason for this difference is that the Psiphon browser is configured to use the Psiphon proxy whereas your default browser is not. Therefore, it is only safe to use the default browser if the entire device is being tunnelled through Psiphon.
When the app is connected, the Start button changes to a Stop button. To disconnect, tap the Stop button.
Configuring the Android client
Tap the Options item in the top menu to load a small set of options.
This setting defaults to the
Best performance option that allows Psiphon to select the fastest connection for you. However, you can override this by selecting any country. This setting works regardless of what mode Psiphon uses to connect.
Tunnel whole device (requires Android 4.0+)
This should be named
Use VPN. When this is disabled, only the Psiphon browser is tunnelled through Psiphon. Enabling this option turns on a VPN that tunnels all of your traffic through the Psiphon network.
Pulling down the Android shade menu from the top of your phone while Psiphon is running will confirm what mode it is running in. If only the browser is using Psiphon it will show that it is running in
However, in VPN mode, there is no IP leak.
If you select the option to tunnel the whole device, Android will give you a warning that Psiphon is trying to route all your internet traffic and require your permission to do so.
If you allow that and the connection is made, then the shade will confirm that is the type of connection running.
Which will expose a longer list of settings.
Disable timeouts for slow networks
Like the Windows setting, enabling this option will make the Psiphon client more tolerant of network latency and make it slower to disconnect.
More Options button exposes more settings.
Enabling this will cause your Android to make a noise when the connection starts or stops. This can be useful if you want to know when your connection drops.
Much like the Sound setting above, this setting will cause the phone to vibrate when the connection status changes.
This is a very handy feature and I was surprised to find it in the Psiphon app. It allows you to nominate apps that will not use Psiphon. This can be useful for applications that are location sensitive such as your bank as you won’t have to remember to disconnect to use those applications.
Connect through an HTTP proxy
The remainder of the settings are disabled unless you enable this checkbox. It allows you to enter settings which instruct Psiphon to use an HTTP proxy.
Custom HTTP headers
This setting allows the addition of HTTP headers. While there are a myriad of uses for custom HTTP headers on the internet at large, I am not sure why the feature would be included in a censorship circumvention application.
Use system network settings and Use the following settings
Only one of these can be enabled. The first one will simply use any proxy settings that already exist in your phone. The second option enables the following settings to set up a proxy for Psiphon to use:
Host address, Port, and Use proxy authentication
If you’ve enabled the second option above, then you’ll need to provide the proxy host address, port, and specify if the proxy requires authentication.
Proxy username, Proxy password, and Proxy domain
If you’ve selected proxy authentication above, then you’ll need to supply the credentials for it here.
Configuring the built-in Psiphon browser
If you’re not tunnelling the whole device (AKA: not using the VPN option) then you’ll want to use the built-in Psiphon browser to access the Internet. It’s a very rudimentary browser but it gets the job done.
As it sounds, you can set a custom home page here or you can set the home page to a blank page. In other browsers the term
home page means the page that will be loaded when the browser launches. That does not seem to be the case with the Psiphon browser. Regardless of the home page I entered, the Psiphon page loaded first. I had to manually press the Psiphon button to the left of the address bar and select
Home page to get to my home page.
Entering anything that is not a recognizable web address into the address bar will cause the Psiphon browser to search for it. This setting controls where it teaches and is preset to Google. You can change this to any search engine you’d like as long as you can figure out the syntax the search engine expects. If you take a look at the default Google entry you’ll see how to construct that.
User interface settings
This pane contains various settings to control how the browser looks. You can set it to fullscreen, determine how long toolbars should display, set what the volume keys do, and other tweaks.
Start page customization
The start page is the page that loads when the browser first launches. By selecting checkboxes, you can cause the start page to contain different panels of information such as a search bar, your most used bookmarks, and recent history items.
Firefox bookmarks synchronization
This purports to be a handy feature that will grab your bookmarks from Firefox and load them into the Psiphon browser. However, when setting up the sync Psiphon asks for a Firefox username, password and your sync key. The sync key is stored on each device and is not available from the Firefox account interface. I attempted to recover the sync key from my system using various techniques such as Password Fox to read my profile but was unable to. Whether this feature is worth the work depends on your needs.
Default zoom level
Some sites are hard to read on a mobile device so you can set the zoom level here to assist with that. The browser supports pinch and zoom already, so it doesn’t seem that this setting would need to be used much.
A user agent is a string that is sent along with every web request that tells the receiving web server what browser is being used. While user agent strings are very detailed and usually contain the operating system and browser being used, they are primarily used to determine if the website visitor is on a mobile device or a desktop. Many websites will format their content differently for mobile devices to make it easier to read.
This setting allows you to tell the Psiphon browser to send a mobile or desktop user agent all the time. It also allows you to set a custom agent so you can appear to be using any browser you want.
I tested the default user agent using my own logs and see that it does not identify it as a Psiphon browser. It reports to be Chrome on Android. This type of obfuscation makes sense for an application like Psiphon:
126.96.36.199 - - [21/Dec/2016:09:21:37 -0400] "GET /2015/11/01/jon-watson/ HTTP/1.1" 200 7447 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-G925W8 Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36"
You may wish to disable this option if it slows down your connection too much. There is not much security value in disabling this, but it can help with an already slow Psiphon connection.
Use wide viewport
This setting allows the Psiphon browser to attempt to load the website with a wider view which makes it more similar to what it would looks like on a desktop computer.
Load pages with overview
Pages will load zoomed out so you can see the whole thing if this is checked. The page may be unreadable until you zoom in, but it will allow you to get a sense of the page and some context.
Enabling this setting will cause the Psiphon browser to restore the tabs that were opened the last time you used it.
You can use this screen to set the plugin behaviour. Plugins can be allowed to run all the time, only when requested, or never.
Standard privacy settings such as saving your passwords and history, as well as clearing your cookies and form data are found in this page.
The Google Web Toolkit is a framework for developing websites with a responsive layout. Adding sites to this list will cause them to be loaded using Google mobile view with the Google Web Toolkit.
Desktop mode list
Sites listed here will be requested with a desktop user agent to ensure they load the desktop version of the site.
Manage bookmarks and history
This page allows you to import, export, and clear your bookmarks and history.
About and Changelog
These are standard pages that provide information about the browser such as the version and a history of changes to the application.