ExpressVPN’s Lightway protocol passes second audit with flying colors

Cure53 confirmed the security of the provider’s in-house VPN protocol

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

One of thebest VPNservices around,ExpressVPNhas been showing some serious commitment to users' privacy and security lately.

The provider called in two independent auditing firms between spring and summer last year to check the reliability of its desktop apps inthree security audits. Right after this, a separate check alsoproved the security of its softwareas both aniPhone VPNandAndroid VPNtogether with the reliability of its own password manager toolExpressVPN Keys.

Now, in a continuous effort for transparency, experts atCure53were called in to assess ExpressVPN very own Lightway protocol for the second time in two years.

Despite a few minor bugs, which the provider said to have already fixed, Cure53 was pleased with the findings gaining a “positive result” overall.

Twelve independent audits in a year

“With this latest assessment, ExpressVPN has completed and published 12 third-party audits in the past year alone - covering all of our mobile and desktop apps, our privacy policy, and key technologies,” a ExpressVPN spokesperson told TechRadar.

“This also means that we have published more audit reports than anyone else in theVPNindustry, further increasing the trust and transparency of our service.”

This time it wasExpressVPN Lightwayto be tested, the open-source VPN protocol that the provider developed from scratch.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The tests were conducted by Cure53 between October and November 2022. Experts evaluated all the components of the protocol, including the Lightway server and client, and shared libraries, with both a penetration test and a dedicated audit of the source code. A series ofwhite-boxtests was the methodology chosen to carry on the audit.

Cure53 identified a total of nine issues. Among these, only three were classified as security vulnerabilities at low levels of exploitation.

“Quite clearly, the overall number of findings is moderate and can be interpreted as a good sign for the security of the inspected Lightway components,” readsCure53 final report.

Our VPN testing results are in and you’ll absolutely guess who’s number one>How to choose the right VPN for you - 9 key things to look out for>Our pick of the best VPN services around right now

“Drawing on the combination of factors, namely the comprehensive coverage, low number of findings, and an absence of high-impact problems, it can be concluded that this Cure53 assessment of the ExpressVPN Lightway components concludes with a positive result.”

Experts also reported good access and communication throughout the assessment period, noting how the ExpressVPN team provided prompt and excellent responses whenever requested.

Even better, the provider is said to have fixed all the issues and these have already been checked by Cure53 in February 2023.

In ablog post, ExpressVPN said to be very pleased with the outcomes. “We’re proud that we’ve helped to drive the VPN industry forward with technology innovations such as Lightway andTrustedServer.

“Our latest round of audits with unprecedented comprehensiveness is another example of how we are leading the industry forward to give internet users greater privacy and security.”

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Mozambique VPN usage soars as internet restrictions continue

Retail and tech firms are hackers' most wanted targets – here’s what you can do about it

Watch out, Nvidia - new benchmarks suggest Apple M4 Ultra could beat the mighty RTX 4090