ExpressVPN is a virtual private network service offered by the British Virgin Islands-based company Express VPN International Ltd. The software is marketed as a privacy and security tool that encrypts users’ web traffic and masks their IP addresses.
In 2018, TechRadar named the services its Editors’ Choice.
ExpressVPN has released apps for Windows, macOS, iOS, Android, Linux, and routers. The apps use a 4096-bit CA, AES-256-CBC encryption, and TLSv1.2 to secure user traffic. Available VPN protocols include OpenVPN, SSTP, L2TP/IPSec, and PPTP.
As of March 2019, ExpressVPN runs over 3,000 remote servers in 160 locations and 94 countries, with the largest numbers of servers located in Brazil, Canada, United States, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, United Kingdom, Australia, Hong Kong, India, Japan, Singapore, South Korea and Taiwan.
In July 2017, ExpressVPN announced in an open letter that Apple had removed all VPN apps from its App Store in China, a revelation that was later picked up by The New York Times and other outlets. In response to questions from U.S. Senators, Apple stated it had removed 674 VPN Apps from the App Store in China in 2017 at the request of the Chinese government.
In December 2017, ExpressVPN came into the spotlight in relation to the investigation of the assassination of Russian ambassador to Turkey, Andrei Karlov. Turkish investigators seized an ExpressVPN server which they say was used to delete relevant information from the assassin’s Gmail and Facebook accounts. Turkish authorities were unable to find any logs to aid their investigation, which the company said verified its claim that it did not store user activity or connection logs, adding; “while it’s unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install ‘backdoors’ or attempts by governments to otherwise undermine such technologies.
TorrentFreak has interviewed ExpressVPN in their annual comparison of VPN providers since 2015.
On 14 January 2016, ExpressVPN was criticized by former Google information security engineer Marc Bevand for using weak encryption. Bevand had discovered that only a 1024-bit RSA key was used to encrypt the service’s connections after using it to test the strength of the Great Firewall of China. Bevand described ExpressVPN as “one of the top three commercial VPN providers in China” and asserted that the Chinese government would be able to factor the RSA keys to potentially spy on users. On January 25, ExpressVPN announced that it would soon roll out an upgraded CA certificate. On February 15, Bevand wrote in an update that ExpressVPN had reported to him that they had now switched to 4096-bit RSA keys.
In a review done by PCMag UK editor Max Eddy in May 2017, the service scored 4 out of 5 with the bottom-line being that although the service wasn’t the fastest, it “certainly protects your data from thieves and spies.” In October 2017, TechRadar gave the service 4½ out of 5 stars, calling it “a premium service with well-crafted clients, an ample choice of locations and reliable performance.” PCWorld rated the service 3½ out of 5 in their September 2017 review, commending it for its easy-to-use software while criticizing “the secrecy behind who runs the company.”
In December 2017, ExpressVPN announced a “Privacy Research Lab” project, including open source leak testing tools released on GitHub. The tools enable users to determine if their VPN provider is leaking network traffic, DNS, or true IP addresses while connected to the VPN, such as when switching from a wireless to a wired internet connection. Comparitech tested the tools with 11 popular VPN services and found leaks across every VPN provider, with the exception of ExpressVPN. However they clarified, “To be fair, ExpressVPN built the test tools and applied them to its own VPN app prior to publication of this article, so it has already patched leaks that it initially detected.“