Is ExpressVPN safe and secure?

Shopping for a Virtual Private Network (VPN) can be confusing. Providers love to throw around terms like “military grade encryption” or “complete anonymity” without really explaining what these terms mean. It’s easy to assume services offer a higher level of security than they actually do. To help out, we’ve dug deep into one of the most popular VPNs on the market, ExpressVPN.

In this guide, our experts will reveal what kinds of logs it keeps, what safeguards it uses to protect your data, and ultimately, if ExpressVPN can keep you safe.

Is ExpressVPN safe? The quick answer

ExpressVPN takes your security seriously. It doesn’t have as many customizable tools as some of its rivals, but it does include everything you’ll need to browse the web anonymously. Best of all, its more advanced features kick in automatically, allowing even complete novices to keep their online activities private. This VPN has spent a huge amount of resources making sure that it can be used anywhere, even places like China. Finally, both its privacy policy and apps have been independently-audited, which means you don’t have to take its privacy claims at face value.

ExpressVPN security overview

Despite its user-friendly apps, ExpressVPN is actually quite a sophisticated piece of software. Below, we’ll break down how VPNs work, explain each step of the connection process, and reveal how ExpressVPN stacks up against its competition.

Encryption

Your internet service provider monitors and controls the flow of your traffic but it’s far from the only organization that can see what you get up to online. For instance, when you use public wifi hotspots or your office’s network, the administrator can keep tabs on your activities. VPNs prevent this by encrypting your data, which scrambles it and makes it impossible to read without the correct decryption key. Some encryption methods are more secure than others, which is why it’s crucial your VPN meets industry standards.

ExpressVPN primarily uses AES-256 encryption with 4096-bit DHE-RSA Keys. If you’re on a lower-powered device, it may instead use ChaCha20 encryption. The important thing is that both of these algorithms are currently considered uncrackable. The service boasts perfect forward secrecy, which means that even if an attacker compromises a single key, they can’t use that to reveal what you did during previous sessions.

Protocols

With your data properly encrypted, the next step is to make sure it reaches the server securely. This is where connection protocols come in. Every protocol is a different set of rules that governs how your traffic is sent and processed by the VPN server. Due to advances in cryptography and increasingly sophisticated cracking tools, once-popular protocols like PPTP are no longer safe to use.

ExpressVPN supports OpenVPN, which is a well-respected protocol that has remained secure for over 20 years. Recently, many providers have begun to favor WireGuard instead as it’s easier to audit and significantly faster. ExpressVPN went in a different direction, developing its own protocol named Lightway, which boasts equally-impressive performance while also keeping your connection secure during the split-second when your device switches networks.

Now, you might be hesitant about using a proprietary protocol, and that’s understandable. But Lightway has been independently-audited twice and is completely open-source, meaning anyone can take a look at its code and see how it works. In fact, ExpressVPN recently added post-quantum support. In simple terms, this means Lightway will remain secure, even as ultra-powerful quantum computers become mainstream.

Safeguards

Now it’s time to make sure that there are no vulnerabilities that someone could use to sidestep the VPN’s encryption. For instance, if your VPN leaks DNS requests or doesn’t block IPv6 traffic, or if you use services that rely on WebRTC, your real IP address could be exposed.

You’ll almost always find DNS and IPv6 leak protection built into popular VPNs. Usually, you’ll have to manually disable WebRTC in your browser settings. ExpressVPN, however, is one of the few providers that can prevent IPv6, DNS, and WebRTC leaks automatically.

If your internet is very slow, you drive through a tunnel, or use an elevator, your VPN connection might drop. To ensure that you’re still able to browse the web, most devices will fall back to your regular internet connection. The problem is that your device might not alert you to the fact that your VPN is off, so you might think your activities are still anonymous when they aren’t.

To prevent this issue, ExpressVPN includes a kill switch ( it calls it a “Network Lock”). This blocks all internet traffic until a connection to the VPN can be re-established. Users can also block access to other devices on the network, preventing a compromised PC in the same office from being able to monitor their activities.

Finally, it’s possible to launch ExpressVPN whenever your computer boots, and connect to your last-used server when the app opens. When combined with the Network Lock, these two options allow you to effectively make the VPN connection the default for your device.

Additional tools

ExpressVPN has a few more tricks up its sleeve. This service maintains an ever-expanding list of trackers and malicious sites, and if you enable Threat Protection, it’ll block these from communicating with your device. This not only stops attackers from probing for weaknesses but also ensures that they collect as little information about you as possible. This feature is available on all platforms and protects you from other installed apps, not just websites. Note that if Threat Protection is enabled, you can only use the Lightway protocol.

Authoritarian governments often have strict digital censorship, and try to detect VPN traffic so that they can prevent people from accessing the wider internet. While most of its rivals have been blocked outright, ExpressVPN still works perfectly in places like China, the UAE, and Saudi Arabia. You don’t even have to take extra steps; its obfuscation kicks in automatically.

This service also supports split tunneling. This allows you to let certain applications pass through the VPN unencrypted, while the rest remain protected. You’ll want to make sure that your torrenting app is always protected, for example, but may not mind if your ISP can see you watching Netflix.

ExpressVPN: privacy policy and audit history

A VPN can have the most secure servers in the world but it won’t matter if they keep detailed logs of your activities. ExpressVPN follows a no-logs policy. Its apps and privacy policy have been audited by respected firms like KPMG, Cure53, and PwC, all of which found that the company is truthful about its logging claims.

Of course, there’s still the question of how this policy would hold against a real-world investigation. In 2019, Turkish authorities seized one of ExpressVPN’s servers who were looking into a political assassination. No useful information was recovered, so we can safely say that there’s no need to worry about having your activities divulged even in the face of legal pressure.

There was some controversy in 2021 when it was discovered that ExpressVPN’s CIO, Daniel Gericke, was revealed to have previously helped the UAE hack politicians, journalists, and activists. ExpressVPN claimed that to better protect its users and fight fire with fire, it needed to know the tricks that oppressive governments use.

RAM-only servers are designed to prevent “tampering or damage from within”. Each server’s entire operating system runs in volatile memory, so no identifying information or logs are ever stored on hard drives.

ExpressVPN safety FAQs