Psiphon Completes Another Third Party Security Review

In late June 2017, Psiphon continued to prove its commitment to open source development (you can access our code repository here), by commissioning Cure53 to perform a security audit of our services. The security review took 22 days and a total of 9 testers to complete what was described as a review with a “vast scope” and the Cure53 testers were very thorough. This is our 2nd security audit of this kind in 3 years (you can see the results of the 1st one, performed by iSec here).

The report’s description of what was included in the scope reads:

“In scope were multiple components of the Psiphon software compound, including the tunnel-core client and server, the library glue, the Psiphon iOS app and, last but not least, the Psiphon iOS browser. This very broad premise and scope explain the necessity for involving a rather large number of testers with properly matched expertise in different arenas. In sum, the tests included code audits, actual penetration tests, protocol and configuration reviews, and a cryptographic audit."

We are very happy with the results of the security audit and proud to relay that “no noteworthy security risks could be unveiled” (pg.19). In the spirit of transparency you can read the full detailed report in pdf form here. Of the two vulnerabilities found, one has already been fixed (and confirmed by Cure53) and steps have been taken to address the other in upcoming releases.

The testers also noted 7 other miscellaneous issues that you can find listed in the report, four of these have also already been addressed.

“The testers shared a conviction that the software compound greatly benefitted from a number of software security audits in the past. Needless to say, this is reflected in findings. Among the total nine issues discovered, only two were marked as security vulnerabilities and were further ascribed with the lowest “Informational” severity ranking.”

The Cure53 testers noted several times throughout the report how clean and quality driven the code is and came to the following conclusion:

“Despite investing considerable time and personnel resources into attempting a compromise, the Psiphon components in scope held up to scrutiny and presented themselves strong and robust in face of adversarial efforts. The bottom line is that no noteworthy security risks could be unveiled.”

We hope that you will find this report interesting, and that it will assure you of our commitment to providing first-class software that will always be open source and secure.

2018-02-16

https://blog.psiphon.ca/2018/02/16/psiphon-completes-another-third-party-security-review/ Psiphon Inc.

Internet Freedom Festival 2017

Another successful Internet Freedom Festival (IFF) was held 6-10 March, 2017. The week-long “global unconference” festival takes place every year in Valencia, Spain. It is a great opportunity for those in the Internet Freedom community to meet up, share experiences, learn from one another, and discuss issues affecting the Internet today. Once again, Psiphon team members were in attendance at this year’s IFF.

This year’s sessions focused on eight different themes: Community; Training & Best Practices; Internet Freedom: Present and Future; Tools & Technology; Policy & Advocacy; Regions & Groups; Communications & Design; and Journalism & Media. The IFF encourages collaboration, diversity, and inclusivity. The days were filled with engaging sessions, each of which presented an opportunity to meet colleagues from around the world and undertake the shared common goal of Internet Freedom.

Happy 2017 to Psiphon Users!

2016 was an eventful year, with plenty of world events to be informed about. While access to the Internet and thus information around the world grew, censorship of all kinds including the blocking of websites also rose.

Here at Psiphon we have also seen more users of our software than ever before, and while this comes hand in hand with increasing information controls on the internet, we are happy to be able to help people get round them.

Freedom House’s annual report on Internet Freedom noted a decline in said freedom for the sixth year running, and found that two-thirds of Internet users around the world live in countries where criticizing the government, military or monarchy results in censorship. Their other major observation was that governments are increasingly targeting messaging apps.

This chimes with some of the things we’ve seen on our network this year. For example in January VoIP services were blocked in Morocco, upsetting users of popular free calling services like Viber, Whatsapp, Skype and Facetime. For the month long duration of the ban, we saw our Moroccan traffic triple in the first week and then double each week after that. Then in May a Brazilian judge ordered the blocking of Whatsapp, not for the first time. Again we saw traffic from the country triple, this time in 24 hours.

National elections are another flashpoint for censorship, and we’ve seen people turn to Psiphon as their governments block social media or oppositions websites, for example in August in Gabon. Another trend we’ve seen this year is the shutting down altogether of the internet in some countries during turbulent events - something that even Psiphon can’t do anything about.

Our hope is that in 2017 we can help people around the world to communicate and stay informed without restrictions. Happy New Year to all our friends and we wish you a safe, happy and free 2017!