ExpressVPN new third - party audit report and research paper on DNS leaks

ExpressVPN believe in earning user trust through transparency rather than just asking customers to take word for it. One way is by regularly publishing audits by trusted third parties, providing independent verification of the privacy and security commitments made to users.

Earlier this year, Attila Tomaschek , a VPN expert and staff writer at the tech publication CNET , notified ExpressVPN that he had observed unexpected DNS request behavior when using split tunneling on his windows machine .A fix was since deployed , and both in-house team and the original bug reporter from CNET have confirmed through independent testing that the issue was fixed .

But ExpressVPN wanted to go the extra mile to confirm that it's Windows apps were safe and secure for users. So it recently invited a third party cybersecurity firm "Nettitude" to conduct a penetration test on windows apps. The primary objective of the assessment was to ensure that the DNS issue related to split -tunneling feature was remediated and the app was bug free. The audit took place in March April 2024.

The results are pleasing which highlight the overall robust security level of the Express VPN app for windows . Nettitude found just one issue, which it rated as medium security .That issue has been remedied, as confirmed by Nettitude as part of its re-testing and reporting process .

RETHINKING DNS LEAKS in VPNs

This initial case identified by the CNET expert prompted it to delve deeply into Windows DNS over the past few months , and wanted to share some discoveries publicly. What initially started as a due diligence process to record and verify the unexpected behavior turned out to have been much more illuminating than expected .

The team went into the particular circumstances around this case and discovered that it looks like a much bigger issue-one that could potentially affect the entire VPN industry .It found a serious failing in the way DNS leaks are tested for and what is considered currently best practice .This issue was found in at least one other VPN provider which has since implemented the recommended solution .It's likely that many more providers could be affected .

A technical paper on findings is published so that others in the industry can investigate and improve their own apps. It is hoped that by transparently sharing research can help raise the bar for the entire industry. and therefore better safeguard the privacy and security of all VPN users -not just customers .

It has become increasingly clear that traditional frameworks for assessing online security are inadequate . Generally DNS leaks were often limited to scenarios where a users public IP address is inadvertently exposed to a DNS server. However research indicates that this view is overly simplistic an there's more to the story .

DNS leaks can be categorized into two types :

Type 1 DNS leaks occur when DNS requests bypass the VPN tunnel due to configuration errors or lack of protective measures .This exposes the user's IP address directly to DNS servers compromising their anonymity and privacy .

Type 2 DNS leaks present a subtler yet equally significant risk. It occurs when DNS requests are directed to DNS servers not deliberately chosen by the user. For example ,if a user intentionally sets their system to use a DNS provider like cloud flare , this action is deemed a matter of personal preference rather than a leak.

Type 1 DNS leaks with their glaring visibility have long been the focus of scrutiny .The subtler machinations of type 2 DNS leaks merit additional scrutiny and attention .It also uncovered how Stealth DNS servers, by remaining hidden from traditional DNS leaks detection tools, contribute to a false sense of security ,particularly with Type 2 leaks.

ExpressVPN thank everyone who has worked with it on this progress so far .Moving forward, it is of utmost importance to continue to refine detection methodologies, enhance the security measures of VPN services , and foster an environment of transparency and cooperation within the cybersecurity community .

. .