Android Browser Same Origin Policy Bypass Security Vulnerability (CVE-2014-6041)

A severe security vulnerability in the Android AOSP browser has been disclosed: http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html

The Psiphon team has determined that the built-in browser ("browser-only mode") in our Psiphon app is affected, on Android versions 3.0 to 4.3, through its use of Android AOSP browser via the WebView component. There is no known mitigation for this security vulnerability other than to disable JavaScript in our built-in browser WebView components.

We are releasing Psiphon for Android version 62 which will disable JavaScript in the built-in browser on these versions of Android. We plan to leave this restriction in place until a less disruptive, effective mitigation becomes available; or the Android AOSP browser becomes widely patched.

2015-09-17

https://blog.psiphon.ca/2015/09/17/android-browser-same-origin-policy-bypass-security-vulnerability-cve-2014-6041/ Psiphon Inc.

Psiphon Gives Global Boost to BFI Flare Film Festival 2015

From March 25 - 31, Psiphon partnered with British Council to deploy the BFI Flare #FiveFilms4Freedom campaign, a global digital human rights initiative and history’s first global, digital LGBT cinematic event. A leader in contemporary LGBT cinema for 29 years, BFI Flare 2015 sought to encourage the world to watch a film together, and show that love is a basic human right.

Psiphon helped maximize the global impact of the campaign, connecting the festival’s LGBT filmmakers and their stories to audiences in 135 countries around the world, in some of the most heavily censored societies — places where freedom of expression is not a given, in particular for members of the LGBT community. According to #FiveFilms4Freedom Director Alan Gemmell, the initiative “was a truly ground-breaking way to support freedom and equality all over the world and showcase some of our finest short filmmakers… we’re incredibly proud that our campaign reached tens of millions of people and that we were able to show solidarity with people around the world who risk their lives everyday just to live and love.”

Through the Psiphon platform, more than 5 million viewers were made aware of the festival, and viewed the landing page 13 million times.

The partnership was a litmus test of Psiphon’s capabilities as a publishing platform, and demonstrated its power to connect diverse international audiences to culturally-relevant content, to each other, and to a global conversation on a massive scale.

Psiphon CEO Karl Kathuria was pleased with the outcome. “We are really excited to have helped raise awareness of this film festival,” he said. “Many people using our software are in countries where it can be difficult to access LGBT content, so this is a unique opportunity to connect them with #FiveFilms4Freedom and help them to join in with the conversation over social media.”

Kathuria confirmed that Psiphon will continue to pursue future initiatives in art, cinema, and other cultural activities. “As a content delivery tool, our technology holds substantial and untapped potential to engage a global audience, regardless of information controls that might be imposed on them. Psiphon will be pursuing several more opportunities to promote and distribute content for cinematic events over the remainder of 2015.”

#FiveFilms4Freedom will return in 2016 with an expanded international programme. Psiphon’s free and open source software continues to be available for Windows desktops and Android mobile devices, helping people all over the world connect with each other over the open internet.

To learn more about the #FiveFilms4Freedom project, visit: http://film.britishcouncil.org/our-projects/2015/fivefilms4freedom

To learn more about BFI Flare, visit: http://www.bfi.org.uk/flare

To learn more about the British Council, visit: http://www.britishcouncil.org/

You can also stay in touch with Psiphon via Twitter and Facebook.

2015-04-26

https://blog.psiphon.ca/2015/04/26/psiphon-gives-global-boost-to-bfi-flare-film-festival-2015/ Psiphon Inc.

A Technical Description of Psiphon

Here's an update to address two recent questions: in simple terms, what is Psiphon and how does it differ from a VPN service; and, what has changed since the technical design document was last updated.

Psiphon 3 is a centrally managed, geographically diverse network of 1000s of proxy servers. Most of our infrastructure is hosted with cloud providers. Psiphon 3 is a "one hop" architecture with secure link encryption between clients and servers. We offer clients for the most popular platforms: Windows, Android, and iOS (in alpha).

Psiphon is open source. Our service offers a strong privacy policy; there are no user accounts and user network addresses are not logged.

Psiphon differs from standard VPN services in a couple of key ways:

We deploy strategies to distribute subsets of servers to users aiming to provide each user with a handful of servers they can reach while not revealing the entire network to one user. To achieve this goal, the size of our network -- and in particular the diversity of our network addresses -- isn't simply a function of our traffic load.
We use protocol obfuscation to bypass DPI blocking.

Psiphon's technical design document is out-of-date and what follows is a very brief summary of major technical changes we've implemented since the project launched in 2011.

We added the obfuscated SSH protocol to mitigate DPI fingerprinting. This fully random-looking protocol is deployed with a unique obfuscation key per Psiphon server.
We added an optional HTTP prefix to our protocol to mitigate DPI-based whitelisting of HTTP traffic. This simple prefix is sufficient for regex-based DPI (nDPI and l7-filter) to classify Psiphon traffic as HTTP; and was sufficient to defeat an actual adversary at the time we deployed it.
We added remote server lists to augment the embedded and discovery servers concepts. While discovery happens only when connected to an existing server, remote server lists can be downloaded even when all servers are blocked. Remote server lists are distributed on S3 and accessed via https://s3.amazonaws.com without a distinguishing bucket name in the URL. In this way, it is difficult for an adversary to block our remote server lists without blocking all of S3 or implementing HTTPS traffic analysis.
Email is now a major client propagation mechanism. We have an auto-responder that returns links and attachments to custom sponsor/channel Psiphon clients depending on the email address users send to.
We released an Android client in 2012. The first version included an embedded browser based on Android's WebView. In 2012/2013 we added support for whole device tunneling, which tunnels all Android apps through Psiphon. We have an iptables whole device mode (for rooted Android 2.2+ devices); and a whole device mode that uses Android's VpnService with tun2socks (for any Android 4+ device). Additional features added include egress region selection and proxy chaining.
We have an iOS client now in alpha testing. This app has an embedded browser.
Our in-app feedback mechanism sends us messages and optional diagnostics from users. This system has helped us debug many platform issues and blocking issues.
Changes to discovery algorithms: our discovery algorithms evolve as part of an ongoing process of optimizing our network. Major changes include sharing discovery servers across propagation channels; and adding time-of-day as a dimension.
Optimizations to connection algorithms: our clients now launch connections to many servers at once when connecting, and keep the "best" connection. This assists in load balancing as well as reducing user wait time as individual blocked servers do not stall the connection sequence.
Client auto-upgrade was enhanced to use incremental download and to use out-of-band download sites (authenticated with digital signatures). These changes made it more likely that a new client can be distributed at a time of blocking.

2014-12-03

https://blog.psiphon.ca/2014/12/03/a-technical-description-of-psiphon/ Psiphon Inc.