- Lightway, ExpressVPN’s pioneering new VPN protocol, is now available to all users across all of its apps
- Source code of Lightway is fully available to the public on GitHub
- New audit report by Cure53 strengthens security, transparency and trust of Lightway
Leading consumer privacy and security company ExpressVPN fully launches Lightway, its in-house modern VPN protocol. The company also announces two new trust and transparency initiatives for Lightway: an independent security audit by Cure53 and the open-sourcing of Lightway’s code.
Recommended ITech News: Tencent Cloud named in Magic Quadrant for Cloud Infrastructure and Platform Services
Lightway is a new VPN protocol built for an always-on world. It is designed for a speedier, more secure, and more reliable VPN experience—that runs on less battery. Its minimalist codebase also means that it is easier to audit and maintain. Lightway also supports both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)—key to its ability to run reliably on many different types of networks.
During the past year of beta tests, ExpressVPN found that as compared to older protocols on average, Lightway:
- Connects 2.5x faster: More than half of the time, Lightway connects the VPN in less than 1 second
- Improves reliability by 40%: This means that users experience fewer drop-offs and having to reconnect, especially on mobile
- Increases speed by 2x: Lightway makes VPN speeds even faster, so users can do what they love online without interruption
Users can now enjoy the benefits of Lightway on all platforms and devices—Android, iOS, Windows, Mac, Linux, and routers.
Cure53 puts Lightway to the test
ExpressVPN invited cybersecurity firm Cure53 to conduct a penetration test and source code audit of Lightway prior to a full rollout. The test was conducted in March 2021, then followed up in June 2021 to confirm that any identified issues had been fixed.
Cure53 made 14 security-relevant findings, and none were classified as “critical”. ExpressVPN’s engineering team promptly addressed these findings, and Cure53 verified this as part of the audit.
“The codebase observed on Lightway Core follows consistent coding patterns and exhibits— in the testers’ view—a high quality,” according to Cure53.
Recommended ITech News: DataVisor Named Representative Vendor in 2021 Gartner Market Guide for Online Fraud Detection
“The outcomes of this Cure53 assessment…are generally positive. The scope of the ExpressVPN Lightway protocol assessed by Cure53 in this project makes a relatively robust impression. This holds despite the number of findings listed in this report. It is crucial to observe that the fixes are rather trivial to implement,” added Cure53.
The company was previously audited by PwC (PricewaterhouseCoopers) twice: An audit in 2019 to check that ExpressVPN’s servers were in compliance with their privacy policy, and one in 2020 to confirm that its build verification processes system sharply reduces the risk that could result in their inadvertent distribution of malware to customers. ExpressVPN also published results of Cure53’s security audit of their open-source browser extensions in 2019.
Elevating trust, transparency, and security of Lightway through open-sourcing
In addition to the audit, ExpressVPN is publishing the source code of Lightway Core under an open-source license (GNU General Public License, version 2). This means that anyone can carry out the same type of assessment that Cure53 conducted and make use of Lightway—even if they are not an ExpressVPN subscriber.
Open-source code allows the global tech community to test and inspect the code, identify potential vulnerabilities, and improve overall security. Open-sourcing also enables anyone to assess for themselves whether the claims we make about Lightway and its architecture are true.
ExpressVPN has previously open-sourced its browser extensions and leak-testing tools. The company has also been running a bug bounty program since 2016 to reward security researchers who help them improve the security of their products.
“Speed, performance, privacy, security, reliability—no one protocol had them all. That’s why we invested resources to build Lightway from the ground up for modern VPN needs. The two latest trust and transparency initiatives give us even more confidence to fully launch Lightway at scale, and we are thrilled for more people to enjoy the benefits of Lightway,” said Harold Li, vice president, ExpressVPN.
“This is one of the most significant innovations we have made to-date, and we are excited to give back to the privacy and security community by sharing Lightway with the world. We hope that it encourages others to contribute to Lightway’s code and drive the VPN industry forward with us,” added Peter Membrey, chief architect, ExpressVPN, who led the engineering work for Lightway.
Recommended ITech News: USystems and Rahi Partner to Deliver to the Global Data Center Market