ExpressVPN launches Lightway for all; open sources code and publishes new third-party audit

6 mins
  • Lightway, ExpressVPN’s pioneering new VPN protocol, is now available to all users across all of its apps
  • Source code of Lightway is fully available to the public on GitHub
  • New audit report by Cure53 strengthens security, transparency and trust of Lightway

British Virgin Islands, 10 August 2021 Leading consumer privacy and security company ExpressVPN today fully launches Lightway, its in-house modern VPN protocol. The company also announces two new trust and transparency initiatives for Lightway: an independent security audit by Cure53 and the open-sourcing of Lightway’s code.

Lightway is a new VPN protocol built for an always-on world. It is designed for a speedier, more secure, and more reliable VPN experience—that runs on less battery. Its minimalist codebase also means that it is easier to audit and maintain. Lightway also supports both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)—key to its ability to run reliably on many different types of networks. 

During the past year of beta tests, ExpressVPN found that as compared to older protocols on average, Lightway:

  • Connects 2.5x faster: More than half of the time, Lightway connects the VPN in less than 1 second
  • Improves reliability by 40%: This means that users experience fewer drop-offs and having to reconnect, especially on mobile
  • Increases speed by 2x: Lightway makes VPN speeds even faster, so users can do what they love online without interruption  

(Data from ExpressVPN users who opted in to share anonymized diagnostics information.)

Users can now enjoy the benefits of Lightway on all platforms and devices—Android, iOS, Windows, Mac, Linux, and routers.  

Cure53 puts Lightway to the test

ExpressVPN invited cybersecurity firm Cure53 to conduct a penetration test and source code audit of Lightway prior to a full rollout. The test was conducted in March 2021, then followed up in June 2021 to confirm that any identified issues had been fixed. 

Cure53 made 14 security-relevant findings, and none were classified as “critical”. ExpressVPN’s engineering team promptly addressed these findings, and Cure53 verified this as part of the audit.

“The codebase observed on Lightway Core follows consistent coding patterns and exhibits— in the testers’ view—a high quality,” according to Cure53. 

“The outcomes of this Cure53 assessment…are generally positive. The scope of the ExpressVPN Lightway protocol assessed by Cure53 in this project makes a relatively robust impression. This holds despite the number of findings listed in this report. It is crucial to observe that the fixes are rather trivial to implement,” added Cure53.

The company was previously audited by PwC (PricewaterhouseCoopers) twice: An audit in 2019 to check that ExpressVPN’s servers were in compliance with their privacy policy, and one in 2020 to confirm that its build verification processes system sharply reduces the risk that could result in their inadvertent distribution of malware to customers. ExpressVPN also published results of Cure53’s security audit of their open-source browser extensions in 2019.

Elevating trust, transparency, and security of Lightway through open-sourcing

In addition to the audit, ExpressVPN is publishing the source code of Lightway Core under an open-source license (GNU General Public License, version 2). This means that anyone can carry out the same type of assessment that Cure53 conducted and make use of Lightway—even if they are not an ExpressVPN subscriber.  

Open-source code allows the global tech community to test and inspect the code, identify potential vulnerabilities, and improve overall security. Open-sourcing also enables anyone to assess for themselves whether the claims we make about Lightway and its architecture are true.

ExpressVPN has previously open-sourced its browser extensions and leak-testing tools. The company has also been running a bug bounty program since 2016 to reward security researchers who help them improve the security of their products.

“Speed, performance, privacy, security, reliability—no one protocol had them all. That’s why we invested resources to build Lightway from the ground up for modern VPN needs. The two latest trust and transparency initiatives give us even more confidence to fully launch Lightway at scale, and we are thrilled for more people to enjoy the benefits of Lightway,” said Harold Li, vice president, ExpressVPN. 

“This is one of the most significant innovations we have made to-date, and we are excited to give back to the privacy and security community by sharing Lightway with the world. We hope that it encourages others to contribute to Lightway’s code and drive the VPN industry forward with us,” added Peter Membrey, chief architect, ExpressVPN, who led the engineering work for Lightway.

To view the source code of Lightway, see ExpressVPN’s GitHub page. Visit Cure53’s website to read their full audit report on Lightway. For more technical insights about Lightway including its cryptography, ciphers, authentication, and more, please read our dev blog

— ENDS —


ExpressVPN logo

About ExpressVPN

Founded in 2009, ExpressVPN is one of the world’s largest providers of VPN services, enabling users to protect their privacy and security online with just a few clicks. The company’s award-winning software for Windows, Mac, iOS, Android, Linux, routers, and browsers secures user information and identities with best-in-class encryption and leak proofing. With servers across 94 countries, ExpressVPN provides a fast connection wherever users are and offers uncensored access to sites and services from around the world. To learn more about ExpressVPN’s privacy and security solutions, visit expressvpn.com.


APPENDIX 

Quote from wolfSSL, a cryptography library that Lightway uses:

“I do a lot of porting of projects to wolfSSL so I read lots of different source code and I must say that I am very impressed with the Lightway source code base. It is very terse and well written. I was able to read the entire source code in less than an hour!” Juliusz Sosinowicz, Software Engineer at wolfSSL.

Lightway user testimonials:

“I really love the Lightway protocol. I love being able to connect instantly and not wait. And I love how there is less battery drain. Now I can’t even tell the difference if I’m using a VPN or not.”

“The new protocol is insanely quick yet also very stable.”

“The instant connection is exceptional. Definitely a step up from other VPNs.”

“Lightway is extremely fast and efficient when compared to the OpenVPN protocol! Great work!”

“Love the new Lightway protocol. Super fast and doesn’t chew my battery!”

Spokespeople bio: 

Peter Membrey is chief architect at ExpressVPN, and has been with the company since 2016. He is responsible for driving engineering excellence within ExpressVPN, and provides internal tech consulting services, architecture review, and technical upskilling advice. He led the engineering work for Lightway, a new, cutting-edge VPN protocol, which was open-sourced for all to use in 2021. 

Peter is also a Chartered Fellow of the British Computer Society, a Chartered IT Professional and a Chartered Engineer. He has a doctorate in engineering and a masters degree in IT specialising in Information Security. He’s co-authored over a dozen books and a number of research papers on a variety of topics. 

Harold Li is vice president at ExpressVPN and part of the company’s senior leadership team, working on product, customer experience, business development, and marketing. As a privacy and security expert at the company, he also works with advocacy and industry organizations such as the VPN Trust Initiative, Frontline Defenders, Open Technology Fund, and Access Now. He is a member of Forbes Technology Council, and has also contributed to The Next Web, VentureBeat, Entrepreneur, and more.

ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.