ExpressVPN releases Open-Sources browser extension and an Audit.

This original post was published on January 28, 2019

The majority of locks from the outside look exactly the same. Many locks look the same, some may resist bumping or picking, and others may have a stronger defense against drills. You’d never know by just looking. The strongest locks are those that you can pick yourself. You could also ask your locksmith for help.

VPNs operate in the same way. ExpressVPN has industry-leading privacy and security. But it can be difficult to spot from the outside.

Because we want you to feel confident, as much as we do, we make it our mission to give you all of the details you will need. It’s also why we made open-source leak tests tools that are similar to providing lockspick sets. And, in the year past, detailed our security methods.

Today we announced two new transparency and trust initiatives to further allow all to check that we keep our promises. An independent and publicly-available security audit is one, as well the open-sourcing and public release of ExpressVPN’s browser extension.

Cure53 put ExpressVPN’s security claims through the test

ExpressVPN has a strong security strategy. Therefore, we often engage third party security testers. While we used these audits previously to secure our service, now we understand the importance of publishing their results in order to maintain trust and transparency. We publish today the first independent security audit — and we expect many more.

Cure53 was the cybersecurity company we used to carry out this audit. The firm had complete access to our source code and build files. In October 2018, four Cure53 testers assessed the extension’s privacy and security protections. They followed up with their findings in November 2018 to confirm any issues that had been identified.

Cure53 made available a report independent of them, that states “The Cure53 assessments of ExpressVPN Chrome browser extension are positive. Mid-November 2018 fixes confirm this.”

Cure53 uncovered eight issues. Cure53 did not find any of these to be more severe than “medium” and declared that it was “quite clear, this is an excellent security indicator.”

ExpressVPN’s engineering department quickly resolved these problems, with Cure53 verifying this in the audit. Cure53 states that ExpressVPN has not been able to detect any security flaws which might allow an attacker to affect its VPN connection through a malicious webpage or otherwise.

We are delighted that this audit confirmed and reinforced the security features of our browser extensions.

You can open-source our code to anyone.

Apart from the audit we will also be publishing the source code the ExpressVPN extension browser under an open license (GNU General Public License – version 2). It allows anyone, including third parties to do the same types of assessments as Cure53.

Because extensions work, this is why we decided to do it. To run an extension, you need a lot of permissions. Sometimes some can even be scary when requested by your browser. A permission for example warns that extensions can read and alter your data, as well as all information stored on sites visited.

These permissions will allow you to access all the privacy, security, and added benefits of VPNs. The extension has been open-sourced. Anyone can examine it and confirm that they are only using the permissions for the purpose we specified.

See our GitHub page for more information.

The VPN industry is committed to transparency, trust, and openness

These are the two latest steps in our ongoing quest to protect privacy and secure our network. We also want to raise trust levels in the VPN industry.

Our cross-industry collaboration with Center for Democracy and Technology, last year saw us launch a Cross-industry Initiative to Improve Standards for All VPNs. It is our belief that any effort that aids internet users to make educated decisions in choosing a VPN makes the web more private and secure for all.

We look forward to continuing to develop better ways to safeguard privacy and security online. As such, we publish more tools, audits, and insights.

Editors’ Note: February 2, 2019

PwC was invited recently to check whether our VPN servers conform to our privacy policy. They also audited our TrustedServer technology. Our full blog announcement contains more information.

ExpressVPN Vice president