Update: Since we first published this article, a second security audit of Lightway has been conducted. Find out more here.
ExpressVPN is constantly innovating in a relentless pursuit of new ways to make our services—and indeed all VPNs—more secure. That’s a key reason we developed Lightway: Our aim was to create a VPN protocol that puts privacy and security first, without compromising on speed or connection reliability.
Over the past year, our users have been able to experience just how fast their connections are with Lightway, how quickly they are able to get a VPN connection—often in a fraction of a second—and how reliable their connections are, even when changing networks. Lightway is yet another reason—along with the advanced server and bandwidth infrastructure we’ve built—we are able to provide the best VPN service for our users.
And now, anyone can see for themselves what’s gone into Lightway’s core code, as well as read an independent audit of Lightway’s security by cybersecurity firm Cure53.
Read more: Introducing Lightway, ExpressVPN’s new protocol for a superior VPN experience
Commitment to transparency: Open-sourcing Lightway core
We are pleased to announce that Lightway’s source code has been published under an open-source license (GNU General Public License, Version 2). This means its core codebase is available for viewing (see it on GitHub here). Anyone may also contribute to this code, as well as use it freely—even other VPN providers!
Open-source software is considered more secure because there are more eyes on the code. This means that anyone can freely scrutinize the code and assess just how secure the protocol is and help identify areas of improvements. Find a security bug? Let us know through our bug-bounty program, and you could be rewarded. Open-sourcing also enables anyone to assess for themselves whether the claims we make about Lightway and its architecture are true.
Open-sourcing is also one of our ways of benefiting the wider VPN community. We’re excited to give back to the community by sharing our innovation with the world, and we look forward to seeing what others can do with it. In accordance with the ethos of innovation for all, we also previously open-sourced our browser extensions and leak-testing tools.
Third-party security audit
Lightway has also recently been assessed by cybersecurity firm Cure53, which conducted a penetration test and a source-code audit to confirm the strength of the protocol’s security. The findings were positive, with the report reading, “The codebase observed on Lightway Core follows consistent coding patterns and exhibits—in the testers’ view—a high quality.”
We are pleased with the results, which displays the overall robust level of security we have designed for Lightway. The assessment identified several weaknesses, and we have since taken measures to mitigate the associated risks, which Cure53 verified as part of the audit. Read the full report here.
ExpressVPN regularly commissions independent audits and assessments on our products as a way to test our security claims and confirm them for our users. Read more about these independent reports, including ones by PwC on ExpressVPN’s privacy protections and on our build verification system. Cure53 has also conducted a security review of our browser extension in the past.
Security innovations for all
We’re proud that some of the innovations we’ve pioneered have helped to drive the VPN industry forward.
For example, we were the first in the industry to create TrustedServer. One of TrustedServer’s innovations is that it runs all our servers only on volatile memory, or RAM-only. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again—stopping both data and potential intruders from persisting on the machine. Others have since followed our lead to roll out similar technology.
Lightway is another example of technology that we’ve built from the ground up, and we hope it will have an influence on the VPN industry as a whole.
Not sure if you’re using Lightway? Find out how to choose your VPN protocol on our apps for Mac, iOS, Windows, Android, Linux, and routers.
Protect your privacy with the best VPN
30-day money-back guarantee
Comments
Why are there no documents that explain the details of the Lightway protocol? It’s very hard to understand the code on GitHub. I want to know how the server and client authenticate, how they share the secret key, and how they encrypt data. I’m also interested in understanding the details of the packets.
How does a company like ExpressVPN make sure, prevent, forestall, that none of the contributors/employee, are putting in secretly backdoors/security risk into the code, be it for own personal reasons, or when they secretly work for the state government?
Good question. Here are some insights:
https://www.expressvpn.com/blog/build-verification-system-prevents-malware/
https://www.expressvpn.com/trust