One of the best VPN services around, ExpressVPN has recently shown a serious commitment to user privacy and security.
The provider called in two independent audit firms between last spring and summer to check the reliability of its desktop applications in three security audits. Right after that, a separate review also confirmed the security of both iPhone VPN and Android VPN software, as well as the reliability of ExpressVPN Keys’ own password management tool.
Now, as part of ongoing transparency efforts, the experts at Cure53 have been called upon to evaluate ExpressVPN’s own Lightway protocol for the second time in two years.
Despite a few minor bugs that the provider said they had already fixed, Cure53 was pleased with the results, which were rated “positive” overall.
Twelve independent audits per year
“With this latest assessment, ExpressVPN has completed and published 12 third-party audits in the last year alone – covering all of our mobile and desktop apps, our privacy policies, and key technologies,” an ExpressVPN spokesperson told TechRadar.
“It also means that we have published more audit reports than anyone else in the VPN industry, further increasing the trust and transparency of our service.”
This time we tested ExpressVPN Lightway, an open-source VPN protocol that the provider developed from scratch.
The tests were conducted by Cure53 from October to November 2022. Experts evaluated all protocol components, including the Lightway server and client, and shared libraries, conducting both a penetration test and a dedicated source code audit. The methodology chosen for the audit was a series of white-box tests.
Cure53 identified a total of nine issues. Of these, only three were classified as low exploit vulnerabilities.
“It is clear that the overall number of statements is moderate and can be interpreted as a good sign of the safety of controlled elements of Lightway,” we read. Cure53 final report (opens in a new tab).
“Given a combination of factors, namely comprehensive coverage, low number of results, and no high-impact issues, this Cure53 evaluation of ExpressVPN Lightway components concludes with a positive outcome.”
Experts also reported good access and communication throughout the evaluation period, noting how the ExpressVPN team provided quick and excellent responses to requests.
Moreover, the provider is said to have fixed all the issues already reviewed by Cure53 in February 2023.
IN blog post (opens in a new tab)ExpressVPN said it was very pleased with the results. “We are proud to have helped advance the VPN industry with technological innovations such as Lightway and TrustedServer.
“Our latest round of audits of unprecedented comprehensiveness is another example of how we are leading the industry to ensure greater privacy and security for Internet users.”