XPost: alt.privacy   
   From: marionf@fact.com   
      
   >> That is, instead of connecting directly to a site, your request   
   >> goes through the proxy   
   >   
   > Yep.  But what was/is its intended purpose ?   
      
   A proxy is an intermediary between client and destination.   
      
   It can cache content, filter requests, mask the client IP, or bypass   
   restrictions. Psiphon freeware can operate as a proxy, a VPN, or both.   
      
   > What you are describing there is a VPN, with that Psiphon executable most   
   > likely to make configuring easier.   
      
   Psiphon freeware can be added on top of a system-wide VPN if desired. Then   
   Psiphon freeware can function as a VPN or as an application-level proxy.   
      
   Psiphon freeware is limited though in that it can be one or the other.   
   Not both at the same time. That's just a quirk of that freeware though.   
      
   In VPN mode  freeware encrypts and tunnels all traffic.   
   In proxy mode it handles selected traffic and may obfuscate it.   
      
   > Than again, the above VPN is most always a simple forwarding service, not   
   > even allowing you access to the rest of the "VPN 'puter" you are conncting   
   > to (its a misnomer, but a name one most users know.  Like asperine).   
      
   Correct, commercial VPN services forward traffic without shell or file   
   access to the server. Nothing here adds access to someone else's 'puter.   
      
   > And by the way: that (goes thru something which changes your IP) is what an   
   > internet modem/router does too.  Yet, its not called a proxy ...   
      
   Routers perform NAT at lower layers.   
   A proxy operates at the application layer and can parse protocol data.   
      
   > Same goes for your internet provider, or a search engine like DuckDuckGo   
   > (and others).   Those are not called proxies either.   
      
   Correct, they may relay traffic but are not user-configured intermediary   
   proxies.   
      
   > Mind you, although not mentioned, HTTP(S) proxies where meant to buffer   
   > requests for webpages...   
      
   Yes, HTTP proxies can cache content to reduce bandwidth and improve load   
   times for repeated requests.   
      
   >> My setup, for example, chains three levels (two of which are optional).   
   >> 1. VPN (full tunnel)   
   >> 2. Psiphon (proxy tunnel)   
   >> 3. VPN browser (app-level tunnel)   
   >   
   > I'm sorry, but #2 is meaningless to me.  Whats the difference with #1 ?   
      
   #1 is a full-tunnel VPN encrypting all traffic. #2 is Psiphon in proxy   
   mode, routing selected traffic and often disguising it. Even more   
   miserable, in Windows, only some applications know how to use proxies.   
      
   For example, Mozilla browsers are great at using proxies, it turns out.   
   Sadly, Chromium browsers suck at using proxies. But the good news is some   
   have no problem using them (e.g., Brave) while others refuse (UC).   
      
   Go figure.   
      
   > As for #1 and #3 ?  That is most likely where the Psiphon executable comes   
   > into play...   
      
   Psiphon.exe freeware manages its own tunnel and can select which   
   applications or destinations use it. A browser VPN addon is app-scoped.   
      
   > I don't think so.  You can't have a "full tunnel" and at the same time a   
   > "app-level tunnel"...   
      
   Chaining is possible if the first tunnel allows the second to connect   
   through it. For example, most free public VPN servers are full tunnel.   
      
   With a full-tunnel VPN, Psiphon freeware (or another tunneling tool) can   
   run its own tunnel inside it without touching any extra settings because   
   the VPN client is already routing all outbound traffic through the VPN   
   interface by default.   
      
   Let's speak carefully though as I'm chaining 3 different things in   
   different orders during testing so each situation can be different.   
    a. System-wide free no-registration public VPN servers   
    b. Browser-specific free no-registration public VPN extensions   
    c. The Psiphon no-registration freeware censorship circumvention tool   
      
   >> Your psiphon3 proxy is installed on your 'puter, and so it   
   >> still uses your 'puters IP.  No IP hiding possible.   
   >   
   > Indeed.   
      
   When Psiphon connects to a remote server, the destination sees the Psiphon   
   exit IP, not the local IP. The ISP still sees local IP unless another   
   tunnel is used first. If/when I chain tunnels, each sees only the prior.   
      
   > Did you know that Windows has such a thing built-in...   
      
   A default gateway is part of IP routing, not a proxy.   
   It forwards packets without interpreting application-layer protocols.   
      
   > No, the side effect of the proxying server...   
      
   VPN software can leak DNS or other traffic if not configured to route all   
   protocols through the tunnel.   
      
   > Than again, thats often a choice : use your own, locally configured DNS, or   
   > the one thats configured on the remote VPN server...   
      
   Agreed, local DNS can be faster, remote DNS keeps lookups inside the   
   tunnel. I recently posted a separate detailed tutorial on setting that up.   
      
   > There's a trick that I don't fully understand...   
      
   Some tools disguise tunnel traffic to look like ordinary HTTPS or other   
   allowed protocols to avoid detection.   
      
   > Psiphon *is* your VPN...   
      
   Psiphon can be the only tunnel or be chained with another VPN. In a chain   
   there is a first and a second, defined by which outer path the inner uses.   
      
   > every app respects proxy matters too...   
      
   Some apps ignore system proxy settings. Proxies can be faster when they   
   avoid encryption, but performance depends on routing and load.   
      
   > But I have no idea what the reason would be why a VPN would technically be   
   > slower than a proxy...   
      
   Encryption and encapsulation add overhead. Server distance and routing also   
   affect speed. Sometimes just paying for the tools increases the speed.   
      
   > The result is no single party sees the full picture...   
      
   Compartmentalization works if tunnels are chained correctly, though   
   metadata can still correlate flows.   
      
   > It's not redundant. It's compartmentalization.   
      
   Understood.   
      
   > I'm sorry, but are you now telling me that you would need both a VPN *and* a   
   > Psiphon server...   
      
   You do not need both. You can use only Psiphon, only a VPN, or chain them.   
   Chaining adds complexity and latency. That's why I'm testing for the team.   
      
   It takes hundreds of hours to get where I've gotten to today, but with just   
   one tutorial, anyone can set up my setup in five minutes after I do that.   
      
   > Like who strips the tunneled-but-not-looking-like-a-tunnel layer...   
      
   The endpoint that created the obfuscation removes it, then forwards plain   
   tunneled data to the next hop.   
      
   > Its much more likely that your local Psiphon.exe redirects your connection...   
      
   Psiphon uses an upstream infrastructure of servers and bridges to traverse   
   filtering networks. Details vary by deployment.   
      
   > Indeed, you didn't.  You just mentioned both WinInet and WinHTTP...   
      
   They expose separate proxy configuration models for applications, but both   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)