Psiphon is an open-source Web proxy platform that has changed quite a bit over the past few years. It differs from other proxy software (such as CGIProxy and Glype) in various ways, depending on how it is configured on the server. In general, Psiphon:
- is accessible through HTTPS
- supports access to HTTPS destination sites
- offers improved (though far from perfect) compatibility with a few complex Web sites, including YouTube
- may or may not require you to log in with a username and password
- allows you to register an e-mail address to receive new proxy URLs from the administrator in the event that your proxy is blocked
- allows you to invite others to use your proxy (assuming it is configured to require a password).
The current version of the Psiphon server software runs only on Linux, and is much more difficult to install and administer than most other proxies. It is designed primarily to facilitate the operation of a large scale, blocking-resistant circumvention service for those who lack the ability to install and use more advanced tools.
The history of Psiphon
Psiphon 1, the original version of the Web proxy platform, was designed to run on Windows, and allowed a non-expert computer user in a country that does not filter the Internet to provide basic circumvention services to specific individuals from countries that do. It was easy to install, easy to use and featured partial support for HTTPS, which made it more secure than many of the alternatives. It also required users to log in, which helped prevent congestion and reduced the likelihood that these small Web proxies, called nodes, would be targeted for blocking. Psiphon 1 is no longer maintained or supported by the organization that developed it.
Psiphon 2 was completely rewritten, with an eye toward performance, security, compatibility and scalability in the context of a centralized service model. These goals have been met with varying degrees of success. Initially, a Psiphon 2 user was required to log in to a particular private node with a username and password. Psiphon, Inc. gave a few early users from each region additional privileges that allowed them to invite others to access their proxies. Early Psiphon 2 proxies also required users to ignore "invalid certificate" browser warnings because, while they were accessible through HTTPS, their administrators were unable or unwilling to purchase signed SSL certificates. All Psiphon private nodes deployed by the company itself now have signed certificates and should not trigger browser warnings. Obviously, this might not hold true for third-party installations of the Psiphon software. Finally, all Psiphon users now earn the right to send a limited number of invitations.
Psiphon 2 open nodes, which were implemented somewhat later, can be used without logging in. An open node automatically loads a particular homepage, and presents itself in a particular language, but can then be used to browse elsewhere while evading online censorship. Open nodes include a link through which a user can create an account and, optionally, register an e-mail address. Doing so allows the proxy administrators to send a new URL to users whose nodes are blocked from within their country. In general, open nodes are expected to be blocked and replaced much more quickly than private nodes. As with new private nodes, all Psiphon open nodes are secured using HTTPS, and those operated by Psiphon, Inc. identify themselves using valid, signed certificates.
How can I get access to a Psiphon node?
To limit and monitor the blocking of its proxies, Psiphon, Inc. has no centralized way to distribute open nodes (which it sometimes refers to as right2know nodes). One English language open node, dedicated to the Sesawe circumvention support forum, is available at http://sesaweenglishforum.net. Other open nodes are distributed privately (through mailing lists, twitter feeds, radio broadcasts, etc.) by the various content producers that make up Psiphon's client base.
Psiphon private nodes work differently. Even if it were possible to print an invitation link in this book, it would be ill-advised, as the whole point of maintaining a private node is to limit its growth and preserve some resemblance to a social network of trust among its members. After all, a single invitation sent to a single 'informer' could be enough to get a node's IP address added to a national blacklist. Worse yet, if that invitation were accepted, the informant would also receive any replacement proxy URLs sent out by the system's administrators. If you do receive an invitation, it will include a link similar to the following, https://privatenode.info/w.php?p=A9EE04A3, which will allow you to create an account and register an e-mail address. To do so, follow the instructions under "Create an account", below. After creating your account, you no longer need to use the invitation link. Instead, you will log in through a somewhat easier-to-remember URL such as https://privatenode.info/harpo.
Using a Psiphon open node
Creating an account
As long as you remember or bookmark the URL of an unblocked open node, you can use it to access filtered Web sites. Creating an account allows you to modify certain preferences, including the proxy's language and default home page. It also allows you to register an e-mail address so that the node's administrator can e-mail you a new proxy URL if this one gets blocked. To do so, click on the "Create account" link in the Bluebar.
If you receive an invitation to a Psiphon private node, the steps require to create your account are identical to those described below.
When filling out the registration form, you might want to choose a username that is not connected to your real identity through e-mail services, social networking sites, or other such platforms. The same applies to your e-mail address, if you choose to register one. Most other users of your proxy are prevented from seeing your username or your e-mail address, but both items are stored in a database somewhere and are visible to Psiphon administrators. If you choose to register an e-mail address, it is recommended that you select one that allows you to access your e-mail through an HTTPS connection. Free e-mail providers that support HTTPS include https://mail.google.com, https://www.hushmail.com, and https://mail.riseup.net. To prevent the automated registration of Psiphon accounts, you must read the number displayed on the Security code image and enter it in the last field. When you are done, click "Create account".
You should see a message confirming the successful creation of your account. From now on please use the URL displayed on this page to log in to your Psiphon node. Note that it includes an HTTPS prefix and a short suffix ("/001" in the image above). You might want to print out this welcome page or bookmark the linked URL (but be careful not to bookmark the welcome page itself, by accident). Or course, you will also need the username and password that you chose in the steps above.
This welcome page might also provide some advice, as shown above, about "invalid security certificate" warnings and the need to accept them in order to use Psiphon. In fact, these instructions are outdated, and you should no longer follow them. If, when connecting to a Psiphon proxy, you see warnings such as those displayed below, you should pay attention to them. If that happens, you might want to close your browser and contact email@example.com or firstname.lastname@example.org for additional advice.
If you use an account to log in to your Psiphon proxy, you will eventually gain the ability to invite others. In order to help prevent blocking, you will collect invite tokens slowly, and there is a limit to the number that you can have at any one time. Obviously, if your proxy is an open node, you can simply send the proxy URL to others. However, after a blocking event, if you receive a follow-up "migration" message at your registered e-mail address, you might find that your account has been moved to a private node. You should never share the URL of a private node, except through Psiphon's built-in invitation mechanism.
Once you have collected one or more invitations, you will see an link on your Bluebar that says something like Invite (1 remaining), as shown below.
There are two ways to invite others to use your Psiphon proxy:
- The Send invitations method automatically sends invitation links to one or more recipients. The invitation messages will come from Psiphon, not from your own account.
- The Create invitations method generates one or more invitation links for you to distribute through other channels.
If you click on the Bluebar link, you will be taken to the Send invitations screen. In order to create an invitation link without e-mailing it, you must click on the Profile link first, then "Create invitations".
Click "Invite" on your Bluebar or Send invitations on the Profile screen. Enter an e-mail address for each person to whom you want to send an invitation, one address per line, and then click "Invite".
You will see a message telling you that one or more messages have been queued, which means that Psiphon will e-mail out your invitation links within the next few minutes.
Remember that you should only invite people you know to private nodes.
Click "Create invitations" in the Profile screen. Select the number of invitation links to create and click "Invite".
You may distribute these invitation links through whatever channels are available to you, but:
- each invitation can be used only once
- for private nodes, do not display the links publicly, to avoid exposing the proxy URL
- for private nodes, you should only invite people you know.
Reporting a broken Web site
Some Web sites that rely on embedded scripts and complex Web technology like Flash and AJAX may not display properly through Psiphon. In order to improve Psiphon's compatibility with such Web sites, the developers need to know which sites are problematic. If you find such a site, you can report it easily by clicking the Broken Page link on the Bluebar. If you provide a brief explanation of the problem in the Description field, it will allow the Psiphon development team to reproduce the error and help them find a solution. When you have finished, click "Submit" and your message will be sent to the developers.