ExpressVPN publishes outside security audit
ExpressVPN has been known for its commitment to trust and transparency. Now, this British Virgin Islands-based VPN provider has taken it to the next level on three fronts.
First, Express invited a respected third party, Cure53, a cybersecurity firm, for an independent, publicly released security audit on the Chrome browser extension. Second, ExpressVPN open-sourced its Chrome browser extension for full transparency and testability. Lastly, and most recently, ExpressVPN released the results of its PwC (Pricewaterhouse Coopers) privacy and security audit.
So let’s uncover now what the Cure53 security investigation and PwC audit have unearthed.
PwC ensures the privacy and security of Express servers
The recently completed audit by one of the “Big Four” auditing firms, PwC, showed that ExpressVPN really delivers on its promises.
According to ExpressVPN, PwC’s independent audit team examined the VPN provider’s code and interviewed their team members. This was done to ensure that ExpressVPN’s servers were in compliance with their strict Privacy Policy, including of course the no-logs promise.
They write:
To enable PwC to thoroughly audit our servers, we gave them extensive access to our team and system information. Over the course of a month, PwC interviewed staff responsible for managing our VPN servers; inspected source code, configurations, and technical log files; and observed our server configuration and deployment processes.
Based on the results of the PwC audit, ExpressVPN remains one of the safest, most private and most secure VPNs currently on the market.
Cure53 investigates security claims
In October 2018, a team of four from the Cure53 cybersecurity firm started a roughly 7-day investigation and testing. Their target was the ExpressVPN Chrome browser extension. The goal was to have an independent third party to test the browser extension to see if the security claims are true.
This wasn’t the first time for ExpressVPN to have a security audit or penetration test though. Express had used regular audits and tests to better their VPN and the security of their service. However, the Cure53 test was the first independent, public security audit that was published (January 28, 2019) to be available for anyone to read it. ExpressVPN promises more public audits to follow as a clear proof of their commitment to trust and transparency.
Last October, Cure53 investigation found eight security-relevant risks. Three of these were labeled as medium level, two low level, and three only informational level risks.
Last October, Cure53 meticulously assessed the security and privacy protections of the ExpressVPN Chrome extension. Their investigation found eight security-relevant risks. Three of these were labeled as medium level, two low level, and three only informational level risks. Nevertheless, the overall picture showed that there were no severe security and privacy issues.
This is what the Cure53 testing team concluded: “All in all, the impression gained about the ExpressVPN WebExtension is positive and the project complies with the major security and privacy standards.”
But the audit wouldn’t really make sense without consequent fixing and verification. Therefore, after the Cure53 security and privacy assessment was available, the ExpressVPN developers patched up all the detected holes. Then, the testers were ready to verify the fixes in mid-November 2018.
After the Cure53 security and privacy assessment was available, the ExpressVPN developers patched up all the detected holes.
Here’s the conclusion after the verification: “The results of this Cure53 assessment of the ExpressVPN browser extension for Chrome are positive, and the mid-November 2018 fix verification process confirms that.”
Now we can all sleep tight, right?
How open-sourcing helps transparency
ExpressVPN wasn’t satisfied by just sharing the Cure53 findings publicly – they wanted more. Therefore, Express decided to open-source the browser extension for more transparency.
The truth is, you may have noticed how many permissions you’re required to grant when installing a browser extension, let alone a VPN app. Most users don’t even bother to read these, but privacy-conscious users may feel red flags popping up when reading these:
Things like “Read and change all your data on the websites you visit” and “Change your privacy-related settings” could be risky if you’re installing an unreliable or questionable extension.
However, when it comes to a trustworthy VPN like ExpressVPN, these are vital permissions for the best and most optimal security service in your browser.
So, how does open-sourcing help transparency?
Here’s what ExpressVPN has for an answer to this: “By open-sourcing our extension, we’re inviting anyone to look under the hood and confirm that we are using these permissions responsibly[…].” In other words, feel free to check out the source code here if you want to see how ExpressVPN takes care of your online security and privacy.
ExpressVPN’s commitment to trust and transparency
You also may have noticed that out of the 1,000+ VPN services many are unreliable, to say the least. Lots of them may, for instance, collect and sell your personal information to third parties, including your IP address and online activities. Many claim no logs whatsoever, however, that seems to be just promotional talk way too frequently.
So how secure and anonymous is a VPN service then?
To provide an answer to this serious question, leaders of the VPN industry like ExpressVPN do their best to be as transparent as possible. With these two latest initiatives, ExpressVPN hopes to “set the bar for trust and transparency in the VPN industry.”
As a matter of fact, Express has already put some results on the table proving their commitment to trust and transparency.
As a matter of fact, ExpressVPN has already put some results on the table proving their commitment to trust and transparency. Last year they launched a cross-country initiative with the Center for Democracy and Technology in order to raise standards for the whole VPN industry.
Naturally, ExpressVPN isn’t alone in this fight for trust and transparency. For example, NordVPN also had an independent auditor to look at their no logs policy back in November 2018. And, there seem to be more and more VPN providers who take third-party audits seriously. VyprVPN actually boasts being the “world’s first publicly audited no log VPN service” that interestingly also took place in last November.
It seems that a new type of race emerged among the best VPN services on the market: a race for transparency and third-party audits. We, VPN users can only welcome these initiatives because, at the end of the day, they serve us as well as our online security and privacy. Well done ExpressVPN and all others who have or will join this race!
Read more:
