Understanding Psiphon: Circumventing Internet Censorship Through Proxy Tunnels
Psiphon is a powerful tool designed to bypass Internet censorship by routing users’ traffic through a network of proxy servers. By using a client program, Psiphon creates a secure tunnel to a proxy server located beyond the reach of censorship mechanisms, allowing users to access unrestricted content.
Traffic Routing Modes
Psiphon supports various routing modes to manage how traffic is channeled:
Port Forward Mode: In this mode, the Psiphon client operates as a SOCKS and HTTPS proxy on the local machine. Users configure their host or individual applications to connect through these local proxies. Each connection is then routed through the tunnel to the server, effectively bypassing censorship.
Packet Tunnel Mode: Psiphon also supports packet tunneling, where IP packets are relayed between a virtual “tun” device on the host and the proxy server. This method is used to encapsulate all network traffic within the tunnel.
Traffic Security
At the heart of Psiphon’s security is an SSH connection that ensures the confidentiality and integrity of the data transmitted between the client and the proxy server. Clients authenticate the SSH server with pre-shared public keys, confirming that they are connecting to genuine Psiphon servers.
Server Entries
Psiphon operates with a comprehensive system for managing server connections. Server details, including SSH public keys and addresses, are distributed as “server entries.” These entries describe individual Psiphon servers and are either embedded in the client binaries or discovered dynamically during connection attempts.
To ensure the security and reliability of server lists, Psiphon employs several delivery mechanisms. This includes fetching server lists from designated drops and verifying them with public keys. Obfuscated server lists, which are encrypted, are also used to enhance security, only accessible to clients with the necessary keys.
Traffic Obfuscation
To avoid detection and blocking, Psiphon employs several obfuscation techniques:
Randomized Traffic: Traffic can be made to appear random, obscuring its true nature.
Protocol Mimicry: Traffic may be disguised to resemble popular protocols, misleading censorship systems.
Traffic Shaping: Psiphon can modify traffic patterns to obscure size and timing characteristics.
Indirect Connections: Connections to proxy servers can be made through intermediaries to further disguise traffic.
Circumvention Optimizations
Psiphon optimizes connection times by making multiple simultaneous connection attempts to different servers with varying obfuscation techniques. This approach helps identify the fastest and most effective configurations for bypassing censorship. Additionally, the Psiphon client tracks successful servers and obfuscation methods to improve future connection attempts.
To fine-tune performance, Psiphon uses “tactics” to deliver optimized configuration and obfuscation parameters directly to clients, enhancing their ability to evade censorship efficiently.
Through these sophisticated methods, Psiphon provides a robust solution for users facing restricted Internet access, ensuring they can connect to the open web with greater freedom.
