How ExpressVPN authenticates its apps

  • Certificates are secure but not necessarily private
  • ExpressVPN opts for username and password authentication for privacy and convenience
ExpressVPN news
2 mins
Two keys representing authentication.

This post was originally published on June 9, 2017.

How do ExpressVPN servers know which app belongs to a customer and which does not?

On most apps, the authentication happens in the background. Once a user signs in, the app will authenticate itself every time it connects.

ExpressVPN operates a username and password combination to authenticate users, which has significant privacy and performance benefits over alternatives such as certificates.

Certificates vs. passwords

Certificates or, more precisely, public key certificates, are signed public keys. In the context of a VPN, the two most relevant possible certificates are the server certificates and client certificates.

Server certificates make sure the app connects to a server operated by ExpressVPN, as opposed to one operated by, for example, a malicious snoop.

Client certificates make sure the client is authorized to make the connection, i.e., use the VPN. While certificates might appear the more fancy option, they have some significant downsides compared to a username and password combination.

The issues with privacy certificates and the benefits of usernames and passwords

User authentication certificates are sent to the internet in plaintext. While this is not a problem for security—a connection is only initiated if the certificates are legitimate and untampered with—every user has a unique certificate, so an observer might be able to see the beginning of a VPN connection and use it to build a profile of the user.

Though a certificate doesn’t have a name or email address attached, other information, such as the records of an internet service provider (ISP) or mobile phone operator, could be used to infer which certificate belongs to who.

If all ISPs collect cleartext certificates automatically, they could map the movements of each user and, for example, through their most common connection location, identify the owner by name and home address.

For better privacy, username and password authentication does not use plaintext. Rather, a TLS connection between the app and the server ensures the transmission of all credentials is encrypted—meaning there is no identifying information.

ExpressVPN opts for privacy and convenience

When using ExpressVPN apps, the auth method is invisible to the user, and any potential observer, meaning your privacy is better protected.

If you don’t use the ExpressVPN apps but rather use a third-party application, such as Tunnelblick, you’ll have to set up your app to connect to the ExpressVPN network manually.

To obtain your authentication username and password (which are different to your ExpressVPN Panel login credentials), follow these simple steps:

  1. Log in to the ExpressVPN panel
  2. Click Set up ExpressVPN
  3. Select Manual Config

ExpressVPN manual config set up.

There’s no need to remember your username and password, as you’ll always be able to retrieve them from the ExpressVPN panel. You should, however,
keep your credentials private to prevent other people from using your VPN service.

When setting up a device with a non-ExpressVPN app, it’s far easier and more convenient to copy your username/password combination than a certificate.

If you run into any problem with an ExpressVPN app, please contact the Support Team.

The devs are the backbone of ExpressVPN and occasionally contribute their otherworldly wisdom to the blog.