ExpressVPN Launches New Transparency Initiative: Browser Extension Security Audit & Open Sourcing

Last updated on May 5, 2021

Not only is ExpressVPN one of the fastest and most reliable VPN providers around, but it’s also the one making the most headway (and headlines) into making its service transparent for users. With so much controversy surrounding VPNs and how they operate, the need for lucidity is paramount. Not only do some VPNs track and monitor all your online movements, but some also take one step further over the line of what’s ethical and what’s not. Numerous free VPNs, for example, are embedded with malware while others, like Betternet VPN, have been accused of selling or sharing your data with third parties

If we take an overtly distrustful approach to this data and activate our conspiracy-theory-seeking missiles, we could presume that VPNs are being given a bad name in an effort to stop people from using them and enable governments and other powerful organizations access to individuals’ private browsing patterns and online behavior. It’s a theory, but not necessarily a good one.

Fortunately, ExpresVPN has taken a rather different approach to the rumors of unreliable VPN services and launched two new trust initiatives. The first is an independent security audit and the second, the publication of ExpressVPN’s browser extension source code. ExpressVPN isn’t the first provider to conduct an independent audit, with the likes of Surfshark, Mullvad, and TunnelBear having already undertaken security audits to prove that their products operate as advertised, delivering both security and privacy to its users.

The second initiative, making their browser extension source code public, has been instigated in an effort to give the general public the tools to perform their own assessment of the permission the extension requires to operate. According to ExpressVPN, an extension needs a broad range of permissions in order to work effectively. Unfortunately, some of these permissions are rather disconcerting and users may cringe at warnings that state that the extension has the permission to both view and change all the data you enter on the websites you visit.

By making their source code public, ExpressVPN is giving all and sundry the opportunity to check out all the working components and get the inside knowledge required to prove that ExpressVPN uses permissions responsibly and in accordance with policy.

Cure53 and the Independent Audit

Cure53 is a German cybersecurity company that specializes in penetration tests on websites, producing reports that expose vulnerabilities and bugs and proposes possible fixes for the problems identified. Working for ExpressVPN, Cure53 committed to a week-long investigation of there browser extension, including its source code and various builds. The team then followed up with another test some weeks later in order to ascertain if all the vulnerabilities identified had been addressed.

Cure53’s full report is available for viewing on their site but, in summary, startes that the results of the assessment were positive. Although eight issues were identified, none of these were particularly serious, scoring just a medium on the severity scale. According to Cure53, “this is a good security indicator”.

Cure53 went on to assert that none of the issues identified would allow cybercriminals or attackers “to influence the state of the VPN connection”. In other words, ExpressVPN’s assertion that it provides a VPN service that is solely designed to provide users with a secure and private browsing experience.

The Cure53 report details every issue identified and then notes the fix applied by ExpressVPN and the date on which the fix was verified. Cure53 has also been responsible for the audits on Mullvad, Surfshark, and TunnelBear, producing similarly comprehensive reports to give users a microscopic view of how these VPNs actually operate.

ExpressVPN’s Other Security Initiatives

In addition to these latest developments, ExpressVPN has been challenging the general perspective about VPNs and their reliability consistently over the past year or so. Given the bad press VPNs have been getting, ExpressVPN’s efforts are more than welcome. With some researchers even going as far as to suggest that the only reliable VPN is one you set up yourself.

While that’s all well and good if you have the skills required to create your own secure tunnel, but for most of us, that’s slightly beyond our technological know-how. It’s hardly surprising, then, that top VPN providers like ExpressVPN, have accumulated millions of users, keen to reap the benefits of a secure connection while enjoying the user-friendly interface that allows you to connect to any server anywhere in the world with a single click.

ExpressVPN offers a reliable alternative to creating your own VPN, and not only because of its two latest initiatives. Last year, ExpressVPN teamed up with the Center for Democracy & Technology to introduce an industry standard for VPNs with regards to their corporate accountability, security protocols, and privacy practices.

So far, a further four VPN providers have provided answers to the CDT’s questions regarding the trustworthiness of their services. As proponents of a free and open internet, we would like to see more reputable VPNs participate in the CDT’s Signals of a Trustworthy VPN initiative and lay bare their inner workings in an effort to increase the validity and credibility of their services.

ExpressVPN has also made their Leak Testing Tools available to everyone, giving both users and third parties access to an automated testing regime. The intention behind this development was to benefit the VPN industry as a whole, enabling people to check for a variety of leaks, including DNS, WebRTC, and IP traffic leaks. The intention behind this initiative is to empower users by giving them the capacity to verify the quality of their VPN service and identify any possible security risks. In turn, ExpressVPN hopes this will boost the benchmark for leak protection across the entire VPN industry.

The Future of VPNs

After the furor in the US last year when the Senate voted to allow ISP providers to share user data without consent, the demand for VPNs has unsurprisingly increased and the need for reliable, trustworthy cybersecurity providers has never been greater.  Quite how this will affect the VPN industry is anyone’s guess, although Forbes predicts a steady increase in the VPN usage over the next decade, saying that privacy breaches, hacking on public Wi-Fi connections, and government censorship will only underline the importance of anonymous, secure browsing.

The only problem is that, in order to reach those online security goals, we need more reliable VPNs and less fake and bogus cybersecurity operations. Sadly, even if you’re downloading a VPN app from a reliable source, like GooglePlay, it doesn’t guarantee that VPN is going to protect your privacy and security. In fact, research suggests that around 85% of the VPNs available on Google Play are peppered with source code that could compromise privacy and permissions that are literally begging to be exploited.

Other issues haunting the VPN industry have been exposed in the courtroom with companies like PureVPN being forced to hand over data that, according to their no-logging policy, should never have been in their possession anyway. Nevertheless, when both Private Internet Access VPN and ExpressVPN were instructed to hand over user information, they both verified their no-logging policy by being unable to cooperate. Unfortunately, we can’t expect every VPN provider to be hauled in front of a judge in order to prove its reliability, which is why initiatives

Article comments