At ExpressVPN, we’re pushed by a dedication to develop best-in-class, security-first merchandise that set new business requirements. That’s the reason for the reason that launch of Lightway, our open-source VPN protocol constructed from the bottom up, we now have frequently commissioned penetration tests and source-code audits to validate its safety.
As we unveil the most recent iteration of Lightway, now utterly reimplemented in Rust and subsequently open-sourced, we’re completely happy to announce that it’s backed by not one, however two complete safety audits from unbiased cybersecurity specialists Cure53 and Praetorian. This rigorous dual-audit strategy, distinctive within the business, displays our uncompromising requirements for safety validation.
Twin audits for larger belief and transparency
At this time, we’re completely happy to share the outcomes of the most recent unbiased audits for Lightway. The assessments by Praetorian and Cure53, which occurred in September and October 2024 respectively, examined Lightway’s new supply code implementation and WolfSSL-RS sources.
We’re proud to share that the safety audits delivered constant, optimistic outcomes—a robust validation of Lightway’s Rust implementation. Throughout each stories, solely a small variety of points had been recognized, none of which had been crucial. The report from Praetorian recognized simply two low-risk points, whereas Cure53 famous 5 gadgets—4 of which had been categorised as miscellaneous findings with low exploitation potential. The problems have since been addressed and validated once more by each specialists in a retest carried out in December 2024.
The report from Cure53 additional acknowledged that the “very restricted variety of findings, particularly with just one exploitable vulnerability, might be interpreted as a optimistic signal for the safety of the ExpressVPN Lightway protocol.”
“Finally, it may be argued that the ExpressVPN Lightway protocol and its implementation in Rust are already in an excellent state of safety,” Cure53 summarized in its report.
Equally, Praetorian’s report recommended the efficient controls of Lightway’s know-how, particularly highlighting the “safe utilization of Rust unsafe blocks,” which permits us to take care of flexibility in our code to carry out important low-level community operations that aren’t attainable with Rust’s normal reminiscence security options.
The report additional highlighted the robust cryptographic primitives in Lightway which are constructed on WolfSSL, which successfully protects encrypted visitors in opposition to numerous assaults together with replay, injection, tampering, and cache-timing—making certain the very best safety requirements when connecting with Lightway.
“ExpressVPN has all the time led the business in third-party analysis and verification of our software program, know-how, and insurance policies,” says Aaron Engel, Chief Info Safety Officer at ExpressVPN. “Having Lightway evaluated by two unbiased third-party auditors is our manner of displaying our dedication to transparency whereas demonstrating our confidence within the know-how we now have developed.”
Trade-leading VPN protocol
A VPN protocol performs an important position as the muse for each VPN service. By reimplementing Lightway in Rust, our purpose is to enhance the general VPN expertise with higher safety and higher efficiency.
By subjecting our Rust implementation to this degree of scrutiny, we’re not solely making certain the very best safety requirements for our customers but additionally contributing to the broader VPN business’s evolution by offering a totally vetted, open-source protocol that others can undertake.
Learn the total stories from Cure53 and Praetorian.
