ASSIGNMENT 04

NETWORK SECURITY

Submitted To:
Sir Waleed Bin Shahid
Submitted By:
Usama Ali Lone
Saif Ur Rehman

53D
Question
You have to use Psiphon and try analyzing the traffic on Wireshark. Try extracting
the maximum information out. You’ll use it with your default DNS server and also
with Google DNS.
Solution
WHAT IS ‘Psiphon’?
Psiphon is a circumvention tool from
Psiphon Inc. that utilizes VPN, SSH
and HTTP Proxy technology to
provide you with uncensored access
to Internet content. Your Psiphon
client will automatically learn about
new access points to maximize your
chances of bypassing censorship.
Psiphon is designed to provide you
with open access to online content.
Psiphon does not increase your
online privacy, and should not be
considered or used as an online security tool.

WHAT DOES IT DO?

For instance, your college/office has restricted internet access (like blocking
Facebook, Torrent etc., with Psiphon you can access any sites including blocked
sites like Facebook, Torrent etc.

LOGGING POLICY
Psiphon collects detailed connection logs but this is explained in great detail in its
extensive privacy policy. It collects the following information:
 Connection Timestamps
 Region Codes
 Session Count and Duration
 Chosen Connection Protocol
 Total bytes transferred and bytes transferred to some specific domains.
Psiphon admits to inspecting domain names (websites) users visit while connected,
but not full URLs. It should be noted that Psiphon doesn’t store user IP addresses “in
the normal course of operation” so it would be very difficult to trace your online
activity back to you as an individual.
Psiphon is supported by ads, and it does share statistics with sponsors so they can
see, for example, how often their sites are visited through Psiphon and from which
countries. These are further aggregated by date, sponsor and region.
All of the data Psiphon collects is discarded after 60 days, which is a little longer
than we’d like.
The logs are used mainly for troubleshooting purposes and to ‘determine the nature
of major censorship events’, where sites and services can be suddenly blocked
without warning.
Psiphon specifically states that it will not give detailed or ‘potentially user-
identifying information’ to partners or any other third parties, but we still don’t
recommend it for those seeking high levels of privacy.

SPEED & RELIABILITY

The free version of Psiphon VPN isn’t very fast, in fact its Android and iOS apps
restrict VPN speeds to 2Mbps, which is painfully slow.
Psiphon’s free VPN for Windows doesn’t seem to have the same speed restriction in
place but the speeds are limited by Psiphon’s automatic server location, which
doesn’t seem to correspond to your physical location.
Speed results from our physical location in Islamabad (18Mbps Wi-Fi
connection) to a test server.

Without Psiphon

With Psiphon
Download speed without Psiphon: 15.22 Mbps
Download speed with Psiphon: 6.68 Mbps
Our download speed loss when Psiphon is running: 56%

You can pay for the premium version of Psiphon to experience “maximum speeds”,
but $9.99 a month for just 5Mbps is a terrible deal.
Psiphon isn’t intended to be used for HD streaming, torrenting, or gaming, so if
you’re looking to unblock censored sites, slow speeds shouldn’t be too much of an
issue.

Bypassing Censorship
Psiphon’s main attraction is its ability to bypass censorship and get past harsh
government firewalls. In fact, according to Michael Hull, president of Psiphon, there
are 200,000 daily active users of the service in China.
But, it’s not the VPN service that achieves that – it’s Psiphon’s proxy service that
works in high-censorship countries like China, Turkey, and Iran.
Psiphon warns users that the VPN configuration (L2TP, or Transport Mode) does not
have strong censorship circumvention capabilities. In other words, Psiphon VPN will
probably be blocked in China.
using Psiphon’s proxy servers, as they provide additional layers of obfuscation
(SSH+).
While the SSH proxies do encrypt traffic, encryption is limited to your browser
traffic, leaving other apps unprotected. This means that users seeking high levels of
privacy should steer clear.
Psiphon openly states that it isn’t designed to increase your online privacy, and
shouldn’t be considered or used as an online security tool.

Encryption & Security

Protocol L2TP/IPSec
Encryption AES 256
Security Supports TCP Port 443
Advanced features SOCKS, Split Tunneling

Psiphon is very transparent about online privacy on its website and says that the
software “does not increase your online privacy, and should not be considered or
used as an online security tool”, so it’s hardly surprising that there’s not much to
say in terms of encryption and security.
The VPN operates exclusively on L2TP/IPsec rather than our preferred protocol
OpenVPN. However, the use of unhackable AES-256 increases the security of the
encrypted packets.
The proxies use SSH, SSH+ (obfuscated), and HTTP configurations. You can use the
split tunneling tool with proxy configurations which tunnels server requests made
within your home country outside of Psiphon’s servers, giving you faster access to
these sites and reducing ISP data usage costs
Because Psiphon’s main goal is to access blocked content through the SSH+ proxy
service, the apps don’t provide many advanced privacy settings at all. There’s no
VPN kill switch feature, which would help to prevent your IP address from being
exposed in the case of a connection drop.
While Cure53’s 2017 security audit of Psiphon revealed “no noteworthy security
risks”, we did experience a few leaks during our testing which affected both the VPN
and the proxy service. We found WebRTC leaks while testing the proxies and DNS
leaks while testing the Windows VPN. Both of these security flaws leave your
personal data exposed to any snooping third parties.

HOW IT WORKS?
All data that goes through Psiphon is encrypted. This means that your ISP cannot
see the content of your Internet traffic: web pages you browse, your chat messages,
your uploads, etc.
However, please keep in mind that Psiphon is designed to be a censorship
circumvention tool, and is not specifically designed for anti-surveillance purposes.
Psiphon does not prevent your browsing history and cookies from being stored on
your computer. And in some modes and configurations all of your Internet traffic
might not be tunneled through Psiphon -- for example if your browser's proxy
settings are misconfigured, or if you leave your browser open after exiting Psiphon.
There are also advanced techniques which can look at encrypted traffic and
determine some things about it, such as what website is being browsed. The
primary example of this is "traffic fingerprinting".
If you require anonymity over the Internet then you should use Tor instead of
Psiphon.

Your Psiphon client will automatically discover new Psiphon servers. When the last
server used is currently unavailable, another one can be used instead. All of the
internet traffic of your system goes through Psiphon only in VPN mode. After a
successful connection is established in VPN mode, your entire computer’s traffic will
pass through the Psiphon network. When VPN mode is not enabled only applications
that use the local HTTP and SOCKS proxies will be proxied.
Psiphon uses SSH with the addition of an obfuscation layer on top of the SSH
handshake to defend against protocol fingerprinting.

PROCEDURE EXPLAINED:

USING DEFAULT DNS

The main function in Psiphon is RunForever, which runs a Controller that obtains
lists of servers, establishes tunnel connections, and runs local proxies through which
tunneled traffic may be sent.
The Psiphon service provides a centrally managed, geographically diverse network
of thousands of proxy servers. Most of the current infrastructure is hosted with
cloud service providers. This allows them to respond to feedback and make
necessary changes to the software and distribute updates in a timely manner.
The technology uses a “one hop” architecture to encrypt and securely link censored
users to regional proxy servers in unrestricted countries.
The protocols used for proxies i.e. SSHv2.
Our system Client is using Putty and the server of the proxy uses OpenSSH

For the encryption of data to be sent keys are exchanged via Elliptic Curve Diffie-
Helman Key Exchange Algorithm and encryption is done via these keys.

After encryption the data is sent

As it can be seen that all the data sent is encrypted. Now, we check what type of
encryption is done on the packets.

we make a DNS request to ‘www.united.com’ and it can be seen that Google DNS
servers are not used instead of them local(default) DNS servers are used

Header Checksums are not verified while using Psiphon as it uses IPv4 and in IPv4
no UDP checksums are required

Psiphon uses RIPE Database Query Service version 1.96 for

 Allocations and assignments of IP address space
 Assignments of Autonomous System Numbers (AS Numbers)
 Reverse DNS registrations
 Contact information
 Routing policy information (in the Internet Routing Registry)
You can see session timestamps using the packets sniffed by Wireshark.

From the packet it can be seen clearly that all the transfer of information is carried
out via IP addresses provided by RIPE and no connection of the machine is made to
23.37.183.217 i.e. ‘www.united.com’, all the data required by client is sent by
server to it.

USING GOOGLE DNS

The protocols used for proxies i.e. SSHv2.

Our system Client is using Putty and the server of the proxy uses OpenSSH

For the encryption of data to be sent keys are exchanged via Elliptic Curve Diffie-
Helman Key Exchange Algorithm and encryption is done via these keys.

After encryption the data is sent

As it can be seen that all the data sent is encrypted. Now, we check what type of
encryption is done on the packets.

we make a DNS request to ‘www.united.com’ and it can be seen that Google DNS
servers are used instead of them local(default) DNS servers.

Header Checksums are not verified while using Psiphon as it uses IPv4 and in IPv4
no UDP checksums are required

Psiphon uses RIPE Database Query Service version 1.96 for

 Allocations and assignments of IP address space
 Assignments of Autonomous System Numbers (AS Numbers)
 Reverse DNS registrations
 Contact information
 Routing policy information (in the Internet Routing Registry)

You can see session timestamps using the packets sniffed by Wireshark.
From the packet it can be seen clearly that all the transfer of information is carried
out via IP addresses provided by RIPE and no connection of the machine is made to
23.37.183.217 i.e. ‘www.united.com’, all the data required by client is sent by
server to it.

Above IP was used by Psiphon while capturing the packets

Upon further investigation as to why this IP was not
represented in Wireshark packets. It was found that this
IP also belongs to RIPE Database services.
 Attached Files:
Wireshark Packets

Default-Psiphon.pcapng Google-DNS.pcapng