ExpressVPN unveil independent security audit

ExpressVPN Security Audit

ExpressVPN has followed the lead of a number of other VPN service and decided to put its security to the test. It has commissioned an independent security audit to test the strength of its service and has made the full results public for the first time.

ExpressVPN said in a blog post that they have used external security auditors in the past to test the strength of their service and apps. But in the past, they have not published the results, but acted internally on what the audit found.

However, in the interests of transparency they have decided to change this policy and the audit they have published today will be the first of many.

The new ExpressVPN audit has been carried out by Cure53, the same cyber-security firm who undertook the first ever security audit on a VPN when they looked at TunnelBear last year.

ExpressVPN Browser extension audited

This first audit was limited to the ExpressVPN browser extension, but it seems that they will be looking at various other apps in the future.

In their blog, they explain why they decided to start the security audit process with their browser extension. They explain that all extensions require a number of permissions to function properly and acknowledge that these will concern some users.

By undertaking an independent security audit they hope to convince users that they are using these permissions responsibly.

In carrying out their audit, Cure53 was given full access to both the source code and various builds of the extension. A team of four testers spent seven days looking at all of this in October of last year. After submitting their report, they then returned to the extension in November to ensure all of the issues they flagged had been addressed.

You can read the full report of their findings here if you so wish, but to summarise, the results were impressive.

Cure53 found a total of just 8 security issues in the ExpressVPN browser extension. This is a very modest number for such an in-depth audit. Cure53 states in their report that, “quite clearly, this is a good security indicator.”

Even more encouragingly, none of these issues were classified with a severity level higher than medium. In total, just three were marked as medium, two as low, and three more as informational.

All of these have subsequently been addressed and ExpressVPN have been at pains to stress that nothing that was found compromised the security of their VPN connections at any time.

Cure53 state as much in their report, saying, “it needs to be underlined that no security issues which would allow [attackers] to influence the state of the VPN connection via a malicious web page or alike were discovered.”

It goes without saying that ExpressVPN was very pleased with the outcome of the audit. They conclude their blog post by stating that, “We’re pleased that this audit reaffirms and strengthens the security of our browser extension, and we look forward to sharing further independent reviews in the near future.”

Browser extension source code published

Publishing a full independent security audit is a bold step for any security company and emphasises ExpressVPN’s confidence in the security of their product.

But they have also gone one step further too. In the same blogpost, ExpressVPN announced that they were publishing the source code of the ExpressVPN browser extension under an open-source license (GNU General Public License, version 2).

In doing so, they are inviting anyone who is interested to carry out the same checks as Cure53 have done on all of their code.

This enables you or any third party to carry out the same type of assessment that Cure53 conducted. ExpressVPN are so confident in the security of their browser extension that they are sure no-one will find any additional issues.

If they do, ExpressVPN is inviting them to let them know and it is quite possible they will receive a handsome reward for their endeavours.

It has to be understood that the audit currently only looks at the browser extension portion of the service. It does not involve their more mainstream apps or their service as a whole. However, we look forward to hearing about relevant audits of these in the near future.

Both of these decisions are a big leap forward for ExpressVPN and will only serve to cement their place as our editors pick as the best VPN in the world right now.

Leave a Reply

Your email address will not be published. Required fields are marked *