Home of internet privacy

ExpressVPN publishes outside security audit and open-sources browser extension

This post was originally published on January 28, 2019.

From the outside, most locks look the same. Some may resist picking or bumping, others may be reinforced against drills, but you’d never know just by looking. To recognize the strongest lock, you’d need to try to pick it yourself, ask a locksmith to test it, or perhaps even take it apart to examine the design.

VPNs are a bit like that. So while we’re confident that ExpressVPN provides industry-leading security and privacy, we know it might not be easy to tell from the outside.

We want you to be as confident as we are, though, so we’re committed to equipping you with the information you need to see for yourself. That’s why we published open-source leak testing tools—somewhat akin to providing a lockpick set—and outlined our security practices in great detail in the past year.

Today, we’re announcing two new trust and transparency initiatives that further enable everyone to verify that we live up to our promises: an independent, publicly released security audit and the open-sourcing of the ExpressVPN browser extension.

Cure53 put ExpressVPN’s security claims to the test

Independent third-party testing is a key element of ExpressVPN’s approach to security, and we regularly engage security auditors and penetration testers. In the past, we’ve used these audits to strengthen the security of our service, but as the VPN industry evolves, we’ve also come to see the importance of publishing the results as part of our commitment to trust and transparency. To that end, we are publishing our first independent, public security audit today—the first of many to come.

For this audit, we invited the respected cybersecurity firm Cure53 to conduct a thorough security review of our browser extension, providing its experts full access to the source code and builds. A team of four Cure53 testers assessed the security and privacy protections of the extension over seven days in October 2018, then followed up in mid-November to confirm that any identified issues had been fixed.

According to Cure53’s independent report, publicly available on the firm’s website, “the results of this Cure53 assessment of the ExpressVPN browser extension for Chrome are positive, and the mid-November 2018 fix verification process confirms that.”

In its investigation, Cure53 identified eight issues, none of which received a severity level higher than “medium.” Cure53 states that “quite clearly, this is a good security indicator.”

Of the issues, three were marked as “medium,” two “low,” and three “informational.” ExpressVPN’s engineering team promptly addressed these findings, and Cure53 verified this as part of the audit. Cure53 further notes that “it needs to be underlined that no security issues which would allow [attackers] to influence the state of the VPN connection via a malicious web page or alike were discovered.” In other words, nothing was found to fundamentally impact the core security and privacy protection that ExpressVPN provides.

We’re pleased that this audit reaffirms and strengthens the security of our browser extension, and we look forward to sharing further independent reviews in the near future.

Open-sourcing lets anyone review our code

In addition to the audit, we’re also publishing the source code of the ExpressVPN browser extension under an open-source license (GNU General Public License, version 2). This enables you or any third party to carry out the same type of assessment that Cure53 conducted.

One reason we did this stems from the way extensions work. An extension requires an extensive set of permissions to operate, some of which can seem alarming when requested by your browser. (For example, one permission warns that the extension can “read and change all your data on the websites you visit.”)

These permissions are necessary to deliver all the privacy and security functions of a VPN as well as added benefits, such as malware protection. By open-sourcing our extension, we’re inviting anyone to look under the hood and confirm that we are using these permissions responsibly and only for the reasons we have given.

To view the source code of the latest version of the ExpressVPN browser extension, see our GitHub page.

Our commitment to trust and transparency in the VPN industry

What we’ve announced today are two of the latest steps in our quest to not only demonstrate our commitment to security and privacy but also help set the bar for trust and transparency in the VPN industry.

As we noted last year when we launched a cross-industry initiative with the Center for Democracy and Technology to raise standards for all VPNs, we believe that anything that helps internet users make more informed decisions when choosing a VPN ultimately makes the internet more private and secure for all.

As we continue to engineer new and better ways to protect privacy and security online, we look forward to publishing more audits, tools, and insights that enable you to see and decide for yourself which VPN delivers the protection that you need.

Editors’ Note: August 2, 2019
In line with our commitment to continue to publish more independent audits, we recently invited PwC to verify our VPN servers comply with our privacy policy and to audit our TrustedServer technology. To learn more and read the full PwC audit report, see our full announcement blog post.