Psiphon VPN operates exclusively on L2TP/IPSec rather than our preferred protocol OpenVPN. It’s fairly secure when used in combination with AES 256-bit encryption, but it’s needlessly weaker than the competition.
Importantly, unlike the VPN app, Psiphon’s proxy service does not encrypt your internet traffic.
Using Wireshark, we tested whether Psiphon’s proxy (image on the left) and VPN (image on the right) effectively encrypted traffic.
Psiphon’s proxies use SSH, SSH+ (obfuscated), and HTTP configurations. Because Psiphon’s main goal is to access blocked content through the SSH+ proxy service, its apps don’t provide many advanced privacy settings at all.
There’s no VPN kill switch, which would prevent your IP address from being exposed in the case of a connection drop.
Security Flaws & Independent Audit
While Cure53’s 2017 security audit of Psiphon revealed “no noteworthy security risks,” we did experience a few leaks during our testing which affected both the VPN and the proxy service.
In our tests, Psiphon VPN leaked our DNS requests.
Our tests of the Windows app revealed DNS request leaks. Previously, we also saw WebRTC leaks. Without a kill switch, the presence of leaks leaves your personal data entirely exposed to any snooping third parties.
You can see Psiphon proxy has DNS requests, WebRTC, and geolocation leaks during our testing in the picture below:
Psiphon also leaked DNS requests and more in proxy mode.
Only 16% of the 90 most popular free VPNs we’ve tested leak DNS requests like Psiphon. There are far more secure and private free VPNs available, and even cheap no-logs VPN like PrivateVPN.
In 2019, a follow-up audit of Psiphon’s apps by Cure53 had “mixed” results, with criticism of the Windows app in particular, stating:
Several parts of the application feel heavily outdated
In 2021, Psiphon recruited another auditor called 7ASecurity which provided a more positive assessment.
No Viruses, but Lots of Trackers & Permissions
Using VirusTotal, we scanned Psiphon’s app and found no malware or viruses.
Virustotal found no anomalous software in the Psiphon App, which is a direct download.
Psiphon Pro on Android has way too many trackers and permissions.