ExpressVPN’s Lightway protocol passes second audit with flying colors
ExpressVPN, one of the best VPN services out there, has recently shown a serious commitment to user privacy and security.
Between spring and summer last year, the provider engaged two independent accounting firms to check the reliability of its desktop apps in three security audits. Immediately afterwards, a separate audit also proved the security of its software as both an iPhone VPN and Android VPN, along with the reliability of its proprietary password management tool ExpressVPN Keys.
Now, in an ongoing effort for transparency, Cure53 experts were brought in to review ExpressVPN’s proprietary Lightway protocol for the second time in two years.
Despite a few minor bugs, which the provider said it had already fixed, Cure53 was pleased with the findings, which produced a “positive result” overall.
Twelve independent audits in one year
“With this latest review, ExpressVPN has completed and published 12 third-party audits in the last year alone — covering all of our mobile and desktop apps, privacy policies, and key technologies,” an ExpressVPN spokesperson told TechRadar.
“This also means we’ve published more audit reports than anyone else in the VPN industry, further increasing the trust and transparency of our service.”
This time it was ExpressVPN Lightway’s turn, the open-source VPN protocol that the provider developed from scratch.
The tests were conducted by Cure53 between October and November 2022. Experts evaluated all components of the protocol, including the Lightway server and client, and shared libraries, with both a penetration test and a special source code audit. The methodology chosen to conduct the audit was a series of white box tests.
Cure53 identified a total of nine issues. Of these, only three were classified as low-level exploitable security vulnerabilities.
It is clear that the overall number of findings is moderate and can be interpreted as a good sign for the safety of the inspected Lightway components. Cure53 final report (opens in new tab).
“Based on the combination of factors, namely the extensive coverage, the low number of findings and the absence of major issues, it can be concluded that this Cure53 review of the ExpressVPN Lightway components concludes with a positive result.”
Experts also reported good access and communication throughout the review period, noting that the ExpressVPN team responded quickly and excellently to requests.
In fact, the provider would have resolved all issues and they have already been checked by Cure53 in February 2023.
In a blog post (opens in new tab), ExpressVPN said it was very pleased with the results. “We are proud to have helped advance the VPN industry with technology innovations such as Lightway and TrustedServer.
“Our latest round of audits with unprecedented comprehensiveness is another example of how we’re moving the industry forward to provide Internet users with greater privacy and security.”