ExpressVPN Security Audit & Open Source

3

37507

Thread author
From the outside, most locks look the same. Some may resist picking or bumping, others may be reinforced against drills, but you’d never know just by looking. To recognize the strongest lock, you’d need to try to pick it yourself, ask a locksmith to test it, or perhaps even take it apart to examine the design.

VPNs are a bit like that. So while we’re confident that ExpressVPN provides industry-leading security and privacy, we know it might not be easy to tell from the outside.

We want you to be as confident as we are, though, so we’re committed to equipping you with the information you need to see for yourself. That’s why we published open-source leak testing tools—somewhat akin to providing a lockpick set—and outlined our security practices in great detail in the past year.

Today, we’re announcing two new trust and transparency initiatives that further enable everyone to verify that we live up to our promises: an independent, publicly released security audit and the open-sourcing of the ExpressVPN browser extension.

Cure53 put ExpressVPN’s security claims to the test

Independent third-party testing is a key element of ExpressVPN’s approach to security, and we regularly engage security auditors and penetration testers. In the past, we’ve used these audits to strengthen the security of our service, but as the VPN industry evolves, we’ve also come to see the importance of publishing the results as part of our commitment to trust and transparency. To that end, we are publishing our first independent, public security audit today—the first of many to come.

For this audit, we invited the respected cybersecurity firm Cure53 to conduct a thorough security review of our browser extension, providing its experts full access to the source code and builds. A team of four Cure53 testers assessed the security and privacy protections of the extension over seven days in October 2018, then followed up in mid-November to confirm that any identified issues had been fixed.

According to Cure53’s independent report, publicly available on the firm’s website, “the results of this Cure53 assessment of the ExpressVPN browser extension for Chrome are positive, and the mid-November 2018 fix verification process confirms that.”

In its investigation, Cure53 identified eight issues, none of which received a severity level higher than “medium.” Cure53 states that “quite clearly, this is a good security indicator.”

Of the issues, three were marked as “medium,” two “low,” and three “informational.” ExpressVPN’s engineering team promptly addressed these findings, and Cure53 verified this as part of the audit. Cure53 further notes that “it needs to be underlined that no security issues which would allow [attackers] to influence the state of the VPN connection via a malicious web page or alike were discovered.” In other words, nothing was found to fundamentally impact the core security and privacy protection that ExpressVPN provides.

We’re pleased that this audit reaffirms and strengthens the security of our browser extension, and we look forward to sharing further independent reviews in the near future.

Open-sourcing lets anyone review our code

In addition to the audit, we’re also publishing the source code of the ExpressVPN browser extension under an open-source license (GNU General Public License, version 2). This enables you or any third party to carry out the same type of assessment that Cure53 conducted.

One reason we did this stems from the way extensions work. An extension requires an extensive set of permissions to operate, some of which can seem alarming when requested by your browser. (For example, one permission warns that the extension can “read and change all your data on the websites you visit.”)

These permissions are necessary to deliver all the privacy and security functions of a VPN as well as added benefits, such as malware protection. By open-sourcing our extension, we’re inviting anyone to look under the hood and confirm that we are using these permissions responsibly and only for the reasons we have given.

To view the source code of the latest version of the ExpressVPN browser extension, see our GitHub page.

Our commitment to trust and transparency in the VPN industry

What we’ve announced today are two of the latest steps in our quest to not only demonstrate our commitment to security and privacy but also help set the bar for trust and transparency in the VPN industry.

As we noted last year when we launched a cross-industry initiative with the Center for Democracy and Technology to raise standards for all VPNs, we believe that anything that helps internet users make more informed decisions when choosing a VPN ultimately makes the internet more private and secure for all.

As we continue to engineer new and better ways to protect privacy and security online, we look forward to publishing more audits, tools, and insights that enable you to see and decide for yourself which VPN delivers the protection that you need.

ExpressVPN Releases Audit and Open-Sources Browser Extension
Cure53 – Fine penetration tests for fine websites
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
It looks similar to the report from SurfShark from 'Cure53' - https:
//surfshark.com/blog/blog-surfshark-browser-extensions-stand-out-for-their-robust-security-independent-investigation-revealed

They too are in British Virgin Isles (must be getting a bit crowded there) Apparently they use bare metal servers & you are not limited to three devices in use, unlimited users (can't see that lasting) All USA Servers work with Netflix in UK - 'That One Privacy Site' gives them all greens: That One Privacy Site | Simple VPN Comparison Chart which in itself is unusual - Time will tell :)
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
only extension audited=uselss audit. the only audited VPNs are Mullvad and Tunnelbear:)
you should change your article to ExpressVPN Extension audit and opensource.
Nord, Express, Surfshark, CyberGhost, Hotspot Shield, Avira Phantom, Vypr, ivacy, PureVPN, IPVanish, Proton, TorGuard and
Hide My Ass are good if you can get them for free.
all of them will surrender your information to law enforcement
. we don't log anything!120 % zero logs. but We handover You're information if the court asks lol.zero log not matter!
there is also data retention law.no safety with any VPN which is why you shouldn't pay for them but learn how to get them for free.
I'm using expressvpn+nordvpn chrome extension=double hope also free.
 
3

37507

Thread author
only extension audited=uselss audit. the only audited VPNs are Mullvad and Tunnelbear:)
you should change your article to ExpressVPN Extension audit and opensource.
Nord, Express, Surfshark, CyberGhost, Hotspot Shield, Avira Phantom, Vypr, ivacy, PureVPN, IPVanish, Proton, TorGuard and
Hide My Ass are good if you can get them for free.
all of them will surrender your information to law enforcement
. we don't log anything!120 % zero logs. but We handover You're information if the court asks lol.zero log not matter!
there is also data retention law.no safety with any VPN which is why you shouldn't pay for them but learn how to get them for free.
I'm using expressvpn+nordvpn chrome extension=double hope also free.
"Useless audit"
It isn't.

ExpressVPN has already been proven to keep no logs. See article below.

"The only audited VPNs are Mullvad and Tunnelbear"
You're wrong again.

You're using Chrome and the extension instead of the desktop application for privacy... You're going backwards at this point.
 
  • Like
Reactions: Weebarra

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
.
"Useless audit"
It isn't.
Hey, they need to audit the client not just extension( Mulvad client and tunnelbear client are both audited).there are many holes in the VPN client that put user privacy at risk(like leaking the IP or DNS) and only audit(expert review)can fix that.
ExpressVPN has already been proven to keep no logs. See article below.
Ye for turkey government. what if it was USA or UK government? :) there is also data retention law which means the ISP that host VPN server has to keep logs even if your VPN doesn't.so if I'm using express VPN and connected to an ISP in France this server has to log everything(data retention law) and express can't do anything about it(it's not owned by Express VPN ).
"The only audited VPNs are Mullvad and Tunnelbear"
You're wrong again.
they are not security audit but no log audit. don't you understand the difference?:) Mullvad passed the security audit.
also:
Nord deals are also cheap(3$ for 3 years, )how they pay for 5000+ servers? it's suspicious.
Vypr no logs audit means nothing to me.


a VPN that claim no logs but make you into trouble lol.
You're using Chrome and the extension instead of the desktop application for privacy
no, I'm using Yandex+expressvpn client+nordvpn chrome extension.it's bad but good for free also I'm not doing smth bad so IDC.
Good VPNs:
Ivpn
Mullvad
Perfect privacy
 
3

37507

Thread author
Hey, they need to audit the client not just extension( Mulvad client and tunnelbear client are both audited).there are many holes in the VPN client that put user privacy at risk(like leaking the IP or DNS) and only audit(expert review)can fix that.
You called ExpressVPN's audit useless. It isn't and you just agreed with me. They just need to audit their client as well. If you read the end of the article, ExpressVPN states the following:

As we continue to engineer new and better ways to protect privacy and security online, we look forward to publishing more audits, tools, and insights that enable you to see and decide for yourself which VPN delivers the protection that you need.
The audits are coming.

Ye for turkey government. what if it was USA or UK government? :) there is also data retention law which means the ISP that host VPN server has to keep logs even if your VPN doesn't.so if I'm using express VPN and connected to an ISP in France this server has to log everything(data retention law) and express can't do anything about it(it's not owned by Express VPN ).
Doesn't matter which government it was. Logs are not gonna magically appear because it was the United States instead of Turkey. Also, that's not how data retention laws work... Most data retention laws do not apply to VPN's.

they are not security audit but no log audit. don't you understand the difference?:) Mullvad passed the security audit.
also:
No-log audits > client/extension audit
No-log audit with OpenVPN support = winning.

Nord deals are also cheap(3$ for 3 years, )how they pay for 5000+ servers? it's suspicious.
Yet, you use NordVPN... lol

Vypr no logs audit means nothing to me.


a VPN that claim no logs but make you into trouble lol.

I can go on any VPN providers forum and create the same post.

no, I'm using Yandex+expressvpn client+nordvpn chrome extension.it's bad but good for free also I'm not doing smth bad so IDC.
From Yandex's privacy policy:
Personal information collected by Yandex when you access, interact with or operate the Sites and/or Services includes:
(i) information provided by you when you register (create) a user account, such as your name, mobile phone number, address and age;
(ii) electronic data (http headers, IP address, cookies, web beacons/pixel tags, browser information, information about your hardware and software);
(iii) date and time of accessing the Sites or Services;
(iv) information related to your activity when using the Sites or Services (e.g. your search history, email addresses of your contacts, content of your emails together with attachments, as well as files stored in Yandex systems);
(v) (geo)location information;
(vi) other information about you that needs to be processed according to the terms and conditions of any specific Yandex Site or Service; and
(vii) information about you that we may receive from our Partner in accordance with an agreement you made with this Partner and an agreement between Yandex and this Partner.
In addition, Yandex uses cookies and web beacons (including pixel tags) to collect your Personal information and associate this Personal information with your device and web browser (see Section 11 below).
Shooting yourself in the foot at this point.

Good VPNs:
Ivpn
Mullvad
Perfect privacy
Based on what information? I also think Perfect Privacy and Mullvad are great, but since there are no audits; they must be bad according to your logic?
 

Deckard

Level 1
Verified
Feb 20, 2019
41
...there is also data retention law which means the ISP that host VPN server has to keep logs even if your VPN doesn't.so if I'm using express VPN and connected to an ISP in France this server has to log everything(data retention law) and express can't do anything about it(it's not owned by Express VPN ).
This is not true, or at least partially :

If your VPN Service Provider use Bare-Metal dedicated server, even if it's a rental, the tenant (the VPN Service Provider) has full control of the server. Nobody (government, ISP, etc) will install a spy app on this server.
Why ?
-Because it's a serious fault. The server is a private property, owned by the tenant during the rental period , and there are still laws about that, depending the country, of course.
-because the VPN service provider will find this spy app on the server.
However, there is always a possibility that the servers incoming and outgoing traffic are being monitored somewhere along the cable (by Hoster/Carrier/.. ) in an attempt to correlate traffic. Thats not as easy as its sounds and the chance of it working are not that great, especially on high traffic servers, which is the case for a VPN.
With Perfect Privacy VPN (they use only Bare-Metal dedicated server, with RAM disk, etc), you could completely circumvent this possibility by enabling their "NeuroRouting" feature (dynamic server-side multi-hop).
The "Cascade" feature (multi-hop VPN / Perfect Privacy and some other VPN providers) even protects agains a completely compromised server, not just traffic correlation.
 
  • Like
Reactions: Sunshine-boy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top