ExpressVPN is one of the best VPNs around, mainly because of its speed. This is due to several factors, not the least of which is the server technology employed by the company. Called TrustedServer, it not only promises faster speeds than the competition, but also superior privacy. Let’s see how it works.
Foundations of TrustedServer
The full operation of TrustedServer is covered in this ExpressVPN blog post by Shaun S., an engineer at the company and the creator of the technology. The full article is remarkably detailed – we wish more companies were this transparent – so we’ll quickly summarize it here for the less tech-savvy among you.
At the heart of every VPN provider are their servers, computers that reroute your connection. We have explained VPN servers in detail, but in short, they have their own type of hardware and software, including their own type of operating system.
In the case of TrustedServer, this operating system is a customized version of Linux, which is updated weekly. Each time a new version of the operating system is created, the code is verified by a second engineer, or even a third for more in-depth modifications.
Each engineer must also access their work using a special cryptographic key used to identify it. This ensures that no one can add anything that could compromise the integrity of the OS, either maliciously or by accident.
Once the update is developed, the new version of the operating system is tested on internal servers by the team before being deployed. If all goes well, the update is then rolled out, again with a number of safeguards to ensure safety.
This is a very involved process with many double checks, which together with the transparency of the process gives us great confidence in the security of ExpressVPN’s servers. However, that’s not even what makes Trusted Server particularly unique.
BEGINNER’S GUIDE TO EXPRESSVPN
The beauty of these regular weekly updates – aside from making sure any new threats can be dealt with – is that resetting a server also deletes all data on it. Indeed, ExpressVPN’s servers do not use hard drive memory to operate, but operate entirely in RAM, or random access memory.
The difference is that once you write something to regular memory, it stays there until someone deletes it, while RAM erases everything stored there when the system restarts. This means that even in the event of a system intrusion, none of your logs (the records that show when you logged in and where you logged in) can be found. This is the essence of VPNs and therefore very important.
Naturally, the problem is that if someone were to break into the system (or obtain a warrant) the day before the update, they would get a week’s worth of logs. That’s why ExpressVPN has a system in place that it says ensures no logs are created, let alone kept.
Again, this system is layered, with failsafes built on top of failsafes. The first step is to design ExpressVPN’s VPN protocols, which are the rules that govern how the VPN server communicates with other computers on the network. ExpressVPN’s proprietary Lightway protocol supposedly keeps no logs, but ExpressVPN has customized all the protocols it uses, such as OpenVPN, so that they don’t either.
However, it is not always possible to predict what will happen: a protocol can reconfigure itself by accident, or another incident can lead to the accidental creation of a log. To prevent this, ExpressVPN causes any output from VPN-related software to be sent directly to a black hole inside the operating system.
Known as /dev/null, this is a special file that destroys anything sent to it without a trace. This is a pretty cool little trick, and we think it’s used by many VPNs to destroy logs.
close the circle
All of the above sounds great, but as is often the case with no-logs VPN claims, you’re taking all of the company’s promises at face value. After all, you’re unlikely to be able to just go in and check if TrustedServer works as advertised. To solve this problem, more and more VPNs are relying on independent third-party audits.
ExpressVPN hired PriceWaterhouseCoopers, a major accounting and security firm, better known as PwC, to perform its TrustedServer technology audit, and it passed with flying colors. This indicates that the technology is working as advertised.
That said, there are a few points to make. For one, ExpressVPN doesn’t allow you to sign up anonymously, so your personal data, like your name and address, is still in a database somewhere and could be vulnerable to an attack.
On the other hand, audit or not, you should always take promises of non-registration at face value. If ExpressVPN didn’t give us too many reasons to doubt its word, PwC did: The company’s recent history is littered with accusations of wrongdoing: for example, a whistleblower claims that auditors Financiers went out of their way to ensure that they would retain the contracts of the Silicon Valley companies they were auditing. This 2020 article from accounting site Going Concern recaps some of the biggest lawsuits PwC has been involved in.
That said, ExpressVPN has also been audited on other parts of its technology (like this one by Code53 for its browser extension), so we’re confident that TrustedServer works as advertised. Overall, ExpressVPN’s transparency is a good indicator that you can trust its technology to keep your data secure.