XPost: alt.comp.freeware   
   From: marionf@fact.com   
      
   R.Wieser wrote:   
   >> That is, instead of connecting directly to a site, your request   
   >> goes through the proxy   
   >   
   > Yep.  But what was/is its intended purpose ?   
      
   A proxy like Psiphon reroutes traffic. Instead of going directly to a site,   
   your request goes thru Psiphon, which masks your IP & may encrypt some   
   data. It's useful for bypassing blocks, switching IPs fast or adding light   
   obfuscation, where you get speed and IP obfuscation as the benefit.   
      
   An "intended purpose" can vary, of course, depending on the privacy need.   
   1. Circumvent censorship   
   2. Hide IP   
   3. Add weak encryption   
   4. Chain with VPNs for layered privacy   
      
   My setup, for example, chains three levels (two of which are optional).   
   1. VPN (full tunnel)   
   2. Psiphon (proxy tunnel)   
   3. VPN browser (app-level tunnel)   
      
   Each adds a layer. You can use 1, 2 or all 3. More layers = more   
   obfuscation, but slower speed. Psiphon alone is fast & light.   
      
   It's good for quick IP switch or bypassing filters.   
      
   >> which forwards it on your behalf for the purpose of   
   >> a. Hiding your IP address   
   >   
   > Your psiphon3 proxy is installed on your 'puter, and so it still uses your   
   > 'puters IP.  No IP hiding possible.   
      
   True, Psiphon runs locally but tunnels traffic thru remote servers.   
   While Psiphon sees my IP address (if I run it first, that is), the   
   destination sees Psiphon's exit node's IP, not mine. That's IP masking.   
      
   > Though that /side effect/ can be had (not a proxies purpose, so it could   
   > still 'leak' your IP).   
      
   Psiphon is definitely not perfect. Especially on Windows which is miserable   
   to set the proxy (remember, there are three different ways and each app   
   chooses one or none of those three different ways - so it is miserable).   
      
   You're right that a misconfig or leaks can expose your IP, which is why I   
   wrote the script to check and set the three different ways after all. :)   
      
   Used correctly, Psiphon hides your IP from visited sites, and if you put a   
   VPN before or after Psiphon (or both), then each is hidden from the other.   
      
   >> b. Bypassing censorship   
   >   
   > I guess it could do that.  A bit of a poor-mans and rather limited VPN I   
   > guess.   
      
   There's a trick that I don't fully understand so I hope others can flesh it   
   out, but Psiphon and VPN "look different" to the ISP & to the web site.   
      
   Psiphon is designed to bypass censorship by tunneling traffic thru proxy &   
   VPN-like methods. It uses a mix of SSH, HTTP & VPN protocols to evade   
   blocks. While not a full VPN, it routes traffic thru remote servers,   
   allowing access to restricted content.   
      
   It's not "limited" in purpose. It's optimized for reachability, not   
   encryption. To do that, Psiphon uses obfuscated protocols (SSH, HTTP, VPN)   
   to bypass blocks. It often mimics regular web traffic to avoid detection.   
   VPNs use standard tunneling protocols (OpenVPN, WireGuard, IPsec) that are   
   easier to fingerprint.   
      
   TO the ISP, for example VPN (encrypted tunnel, known ports, predictable   
   handshake) looks different than Psiphon (which may look like HTTPS or SSH,   
   which could be harder to block due to it not looking suspicious).   
      
   To the destination website, the VPN IP exit server is often a known   
   datacenter, whereas Psiphon's exit node is intended to rotate or mimic   
   residential exit nodes (as far as I can ascertain, anyway).   
      
   While it may or may not work, the point is that Psiphon may evade DPI or   
   filtering better. VPN offers stronger encryption but is easier to detect.   
      
   >> c. Adding an additional layer of anonymity (e.g., to a VPN setup)   
   >   
   > If your proxy hides your IP, than the VPN just re-hides it.  What good does   
   > that do ?   Also, a repeat of your first point.   
      
   To answer your question, let's go slowly here as the order matters (VPN   
   first Psiphon second versus Psphon first VPN second) and the fact that not   
   every app respects proxy mattes too, as does the fact that proxies are   
   faster than VPN as does the fact that proxies look different to snoopers   
   than VPN, etc.,   
      
   See? I told you it's complicated.   
      
   That's why I'm asking for someone on this newsgroup who knows more than I   
   do because I only touched proxies 25 years ago and again, only a week ago.   
      
   So far you're the only one on this newsgroup who even seems to understand   
   it, where I was hoping someone would tell ME how this darn thing works.   
      
   Each layer masks different metadata. Stacking them splits trust.   
      
   For example, let's say I run system-wide VPN first & then Psiphon second.   
   1. The VPN server sees my real IP address & encrypts my traffic.   
   2. The Psiphon server sees only the VPN IP & forwards the traffic.   
   3. The final destination sees the Psiphon server   
      (which looks like a residential IP address).   
      
   The result is no single party sees the full picture. ISP sees VPN. VPN sees   
   Psiphon. Psiphon sees destination. Destination sees Psiphon exit IP.   
      
   It's not redundant. It's compartmentalization.   
      
   > The question still is why you think those two DLLs you named are proxies   
   > (I'm dropping the last one, as thats just a description of an intended   
   > functioning, not something you can have running on your 'puter)   
      
   Let's be clear that I never once mentioned DLLs. I didn't say WinINET or   
   WinHTTP *are* proxies. I said they support proxy behavior. Windows apps use   
   those APIs to apply proxy settings, including PAC/AutoDetect. PAC isn't a   
   DLL, it's a config script. AutoDetect uses WPAD or DHCP to find proxy   
   settings.   
      
   My question was about how Windows handles proxy routing, not about DLL   
   internals.   
      
   I only started using proxies a week ago so I'm hoping something (anyone!)   
   on this newsgroup knows them better than I do as they're not intuitive.   
      
   Why do 3 completely different proxy mechanisms exist in Windows anyway?   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)