do you think your ISP, backbone provider, or another three-letter-agency is any less capable of doing it too?
Definitely. I can push out a trusted root CA to my entire domain in a few seconds, but my ISP certainly can’t. They’d have to convince one of the big root CAs (VeriSign, etc) to give them an intermediate certificate, so their inspection box could print “fake” certs for every domain being accessed. The likelihood of that is low, to say the least.
If they didn’t have that, you’d just get a slew of certificate errors on every site you tried to visit. If you don’t control a root CA that the machine trusts, SSL inspection is pretty much useless.
I am curios how DNS Redirector would block direct IP communication without a DNS request involved? According to their FAQ Question #115, it gives an example by having to leverage third party devices. So it does not appear that DNS Redirector is an end-all solution. Please correct me if I am mistaken.
If you are not decrypting your traffic then you would unlikely be able to stop psiphon and even then that is a “maybe”. It has a bit more tricks up its sleeve such as leveraging domain fronting and meek, google: domain fronting and meek
The best way I found to test is to install the app on a device (I used an android device I could easily wipe) and let it run to attempt to circumvent. There is a good chance when left running it will find a way out. In addition, I highly recommend setting up alerts/reports to match the traffic and act upon the alerts. It can be very noisy however left unchecked, it will find a way out.
If psiphon is able to get out of your network then consider the bad/malicious actors that could also get out/into your network…consider DLP and reverse tunnels.