On 28th January, leading VPN provider ExpressVPN announced the release of an independent security audit into its Google Chrome browser extension as well as the open-source code in a move towards more transparency.
Cybersecurity firm Cure53’s investigation yielded eight “security-relevant” findings, with four categorized as “vulnerabilities” and four as “general weaknesses”. None of the issues were marked above a “Medium” for the level of severity, which Cure53 called “a good security indicator”.
The review of ExpressVPN’s browser extension for Google Chrome was conducted in October 2018. A team of four testers assessed the security and privacy protections of the browser extension.
ExpressVPN successfully fixed or mitigated seven of the eight issues, all of which were verified in Cure53’s report.
One ‘miscellaneous’ issue to do with unused permissions within the extension has not yet been addressed, but ExpressVPN said: “Reasons were discussed with the Cure53 team and the proposed solution was mutually accepted.”
The report concludes: “the ExpressVPN browser extension is well-implemented and it is apparent that the usual VPN bypass tricks, as well as actively malicious web pages trying to unmask the user, were taken into consideration and mitigated,
“It needs to be underlined that no security issues which would allow an attacker to influence the state of the VPN connection via a malicious web page or alike were discovered.”
ExpressVPN has now made the code for the browser extension open to all, in an attempt to demonstrate a high level of transparency and trustworthiness to its customers. It also enables anyone to carry out a similar assessment of the browser extension to that of Cure53.
A representative from ExpressVPN said in a blog post: “What we’ve announced today are two of the latest steps in our quest to not only demonstrate our commitment to security and privacy but also help set the bar for trust and transparency in the VPN industry.”
Last year, ExpressVPN launched a cross-industry initiative with the Center for Democracy and Technology (CDT) in an effort to raise standards for all VPNs.
CDT published a document called ‘Signals of Trustworthy VPNs’, which includes “a list of questions that a trustworthy VPN service should be able to answer honestly, clearly, and thoroughly, signally the provider’s commitment to earning user trust.”
The questions aim to help consumers make informed decisions when choosing a VPN, focusing on privacy, security, and data use practices.
You can review ExpressVPN’s answers to the questions here.