Safety is the most important aspect to keep in mind when looking for the optimal VPN service for your needs. Flashy features can be omitted in order to lower the final price of the service, but the security setup and privacy options have to be superb in order to combat modern dangers lurking on the Internet.
ExpressVPN was founded back in 2009. The company is incorporated in the British Virgin Islands, which puts it outside of the legal reach of the US and the EU, together with their government agencies and spy networks.
Our staff tested ExpressVPN software across various supported platforms looking to identify any potential leaks and insufficiencies. Keep reading this comprehensive report to learn all about ExpressVPN security levels and view our final test results.
As we already mentioned, ExpressVPN is incorporated in the British Virgin Islands, which means US/EU legislature cannot demand any type of user data inspection. The British Virgin Islands have no mandatory data retention laws, so the company is under no obligation to collect and store your sensitive information in order to hand it over to authorities and government agencies and organizations.
With that in mind, ExpressVPN implements a strict no-logging policy, which means it will never log your browsing history, IP addresses, traffic metadata and destination, DNS queries, and other sensitive information. Bottom line, the company will not possess any data that could identify you as an individual. Worst case scenario, even if the British authorities requested user data from ExpressVPN (since the BVI is British overseas territory), the company would have nothing to hand over since it logs nothing of importance.
Having said that, ExpressVPN will collect some information required to provide you with its services. This includes your email address and payment method (unless you are using Bitcoin), apps and activated versions, dates (not times) when you used the service, choices of VPN locations, and data transfer per day (in MB).
ExpressVPN uses AES-256-CBC cipher to encrypt your traffic along with SHA-512 hashing and RSA-4096 handshake. The data channel utilizes a symmetric encryption scheme with DH exchange for key negotiation. This security setup is quite literally unbreakable since it would take supercomputers billions of years to crack the 256-bit keys.
On top of that, the software comes equipped with perfect forward secrecy, which means every single session is assigned a new encryption key. In case you prefer longer sessions, the software will change the key automatically every 60 minutes. Practically speaking, this means that even if somebody manages to get your encryption key, which is impossible, the key would just allow them to intercept the traffic during that particular session. The next one will be assigned with a new key, rendering the previous one useless.
When it comes to connection protocols, ExpressVPN supports OpenVPN (TCP/UDP), IKEv2/IPsec, PPTP, and L2TP. PPTP and L2TP are quite outdated and easily breakable, so we do not recommend using them unless you absolutely have to. If you do not know much about VPN protocols, you can let the client pick one automatically based on your Internet speed and desired level of security.
ExpressVPN features slip tunneling as well, which allows you to protect some of your traffic with a VPN while leaving the rest of it exposed. Finally, every server is equipped with a proprietary DNS, so ExpressVPN does not have to rely on third-party DNS that might come with lower levels of protection.
ExpressVPN allows P2P filesharing on all of its servers. All ExpressVPN users get unlimited bandwidth, speeds, and server switching. The convenient speed test feature implemented in the client will help you identify the best server for your personal needs.
Note that ExpressVPN does not support illegal downloading of copyrighted material, but the company does not have any tools to actually catch you in the act since it does not monitor user traffic or log any relevant data.
During our testing circuit, we did not notice any DNS leaks since all the popular tools only registered our assigned IP and were not able to identify our actual address. In other words, ExpressVPN does not leak any information whatsoever. The client comes with a reliable killswitch feature to protect your information from leaking out in case your VPN gets incapacitated for whatever reason.