Rearranging The Deckchairs

Frank O'Dwyer's blog

Psiphon Considered Harmful?

[Note: per Boris in the comments, this post refers to an old version of Psiphon, so may be out of date. I haven’t time to look at the new version at the moment, so it may or may not have similar problems]

Psiphon is an new anti-censorship tool that has recently become available. It is supposed to allow anyone to operate a proxy (“psiphonode”) in an uncensored country, so that users in censored countries can browse material that would otherwise be blocked. The idea is that the censoring country will find it much more difficult to identify and block access to 100s of proxies, than to do the same for the particular site it wishes to censor. The connection between the browsing user and the proxy is encrypted so that the censoring government cannot tell what is being browsed. That’s the theory, anyway.

It’s an interesting idea but I think there are a few problems with it:

  • It only takes one of these to fall into the hands of a spammer or paedophile or similar, and it will be game over. Those operating the psiphonodes will probably be less than pleased to have spam or child porn downloaded via their proxies. This may in turn expose them to unwanted attention from their own government!
  • The self-signed certificates may be a bit of a giveaway. The censoring government could easily monitor for these and focus its efforts on connections which use them. It could also automatically perform a man-in-the-middle attack on all the connections. This is mentioned in the psiphon FAQ however the user only has to forget to perform the fingerprint validation on one occasion for bad things to happen.
  • Traffic analysis will allow the censoring government to target users who have been to the psiphon site. (Users in the censoring country do not need to visit that site, but it seems likely that they will).
  • Similarly traffic analysis should allow identification of SSL encrypted sites that are being used by more than one ‘suspect’ in the censoring countries. It would be quite easy for the censoring country to automatically check the resulting destination IPs and fingerprint them as psiphonodes. Authentication of access to the proxies is supposed to prevent anyone other than the authorised users gaining access, but I doubt that this is effective in preventing fingerprinting of a psiphonode (and more likely it helps). Although the censoring government cannot effectively blacklist the psiphonodes (as their IP address is likely to change), it could take the approach of blacklisting the source IP (effectively booting the censored users off the net).
  • The censoring country could also pay a physical visit to users who appear to be converging on a psiphonode. To guard against having prohibited material on their machines in this case the users should at least enable the option “do not cache pages browsed via SSL” in their web browsers.

It is nice to see such tools emerging and it will be interesting to see what happens, but ultimately I think this problem is too hard to be solved by a simple proxy solution. When you compare this to, say, TOR) and freenet it really doesn’t add up. Hopefully no users have to find this out the hard way.

technorati tags:security, censorship, privacy, psiphon, tor, freenet