Can ExpressVPN Be Trusted and Is It Legal? Cure53 Report 2023
ExpressVPN recently published the results of an independent security audit of their browser extension by cybersecurity firm Cure53. They also have announced the open sourcing of their browser extension code.
ExpressVPN is one of the most popular VPNs on the market for good reason. It’s earned high praise for its lightning-fast speeds, user-friendly service, and its strong commitment to user privacy.
Even when a VPN provider has a great reputation, we try to avoid blindly trusting any company to protect our security and privacy. After all, we don’t always know what goes on behind the scenes.
That’s why we love when VPN providers embrace transparency and take real steps to truly earn our trust.
Below, we are going to walk you through the results of Cure53’s security audit of ExpressVPN’s browser extension and discuss what this means for both you and ExpressVPN.
Who Is Cure53?
We can tell you with confidence that Cure53 is a well-respected and reputable cybersecurity firm. In fact, when we first talked to them to verify their procedure, we were so impressed with what we learned that we have hired them ourselves in the past.
In the past, Cure53 has also performed audits of TunnelBear, Jigsaw’s Outline VPN, and Surfshark, to name a few.
Cure53’s audits are no joke. The Cure53 team has proven time and time again that they can really put cybersecurity software to the test and detect security threats of all shapes and sizes.
Audits like this are an extremely important step for cybersecurity providers to take. Security audits allow vendors to identify and fix any possible vulnerabilities in their product before they can be exploited.
Hiring an independent firm like Cure53 proves that the results of the audit are accurate and unbiased.
Not All Browser Extensions Are Created Equal
The audit that we’re discussing in this article looked at ExpressVPN’s browser extension, which is available for Chrome and Firefox. There are a few reasons why browser extensions deserve an extra critical eye.
Take a minute to open up the extension database for Chrome or Firefox and look at how many browser extensions claim to be able to offer you secure protection or anonymity online.
Many standalone browser extensions that promise security call themselves VPNs, but in reality are nothing more than proxies.
The results of the Cure53 report prove that unlike many other extensions, ExpressVPN’s browser extension gives you the protection of a true VPN. But what’s the difference?
Proxy vs VPN
Proxies and VPNs both hide your IP address and direct your traffic through a remote server to make it look like you are connecting to the internet from a different location. However, the similarities between the two services pretty much end there.
In addition to masking your location, VPNs secure your traffic with end-to-end encryption and direct it through a safe tunnel in order to protect your connection from interference and leaks.
VPNs are also equipped with extra security features to protect you in the event that your connection suddenly drops or becomes vulnerable. Whether your goal is geo-spoofing, anonymous torrenting, or online privacy, there are many reasons to choose a VPN over a proxy.
Why Is Open-Sourcing a Big Deal?
Although browser extensions can do a lot to keep you safe, installing the wrong one can seriously put your security and privacy at risk. At best they could be ineffective, and at worst they could be intentionally collecting or leaking your personal information.
When you download a browser extension for cybersecurity purposes, they require some pretty intimate permissions to work properly. These extensions may ask for permission to access all your data while you browse the web, or even to change any of your data on the websites you visit.
If you’re like us, the idea of giving that much power to a random browser extension probably makes you nervous. That’s why ExpressVPN made a great move by open-sourcing their browser extension code.
This means the ExpressVPN browser extension code is publicly available and anyone who wants to look through the code and make sure the extension is using the requested permissions responsibly can do so.
Audit Report – Analysis and Results
The audit report is freely available on the Cure53 website, but we are going to summarize it for you so that you don’t have to worry about reading it yourself.
Cure53 did a penetration test and source code audit of ExpressVPN’s browser extension for Chrome. This basically means that ExpressVPN gave Cure53 full access to all of their source codes and builds. A team of four Cure53 testers fully tested the extension’s security and privacy protections and identified any vulnerabilities.
The Cure53 team identified a total of eight issues: four vulnerabilities and four other minor issues that could create a problem in the future if unresolved.
Three of the eight issues were given a “medium” severity level, two were given a “low” severity level, and the rest were labeled “informational.”
Cure53 made it clear that these findings were very positive and that “no security issues which would allow an attacker to influence the state of the VPN connection via a malicious web page or alike were discovered.”
Code53 explained that some of the minor issues they found had to do with the fact that ExpressVPN offers such advanced protection in the first place. ExpressVPN’s extension is very ambitious in the quality of security and privacy that it strives to provide.
Certain vulnerabilities were inevitable due to inherent design aspects of web browsers themselves.
One of the most important details in the report is the fact that ExpressVPN has already fixed all of the vulnerabilities that Cure53 identified. The report confirms that each of the fixes has already been successfully verified by the Cure53 team.
2023 Update
ExpressVPN has continued to take steps towards transparency. A recently released report details a new audit conducted by the accounting firm PwC between May and June 2019. PwC is one of the largest accounting firms in the world. ExpressVPN sought to confirm its compliance with its stated privacy policy.
PwC was also tasked with auditing the technology behind ExpressVPN's TrustedServer feature. This was done to verify that it works in accordance with ExpressVPN's claims.
Conclusion
The results of the audit show that ExpressVPN is truly committed to offering strong security, privacy, and anonymity. Browser extensions are hard to get right, but ExpressVPN’s extension really does provide users with all the protection of a true VPN.
This is great news for the quality of ExpressVPN’s browser extension. We were equally impressed by ExpressVPN’s commitment to transparency.
By open-sourcing their browser extension code, ExpressVPN is sending a powerful message to both VPN users and other VPN providers that trust and transparency should be the industry standard.