For quite some time VPNs had to deliver their services on a promise-like basis. It’s hard to back up the no-logs privacy claims because there’s a pressure from espionage and governmental agencies for a tighter netizen control. Also, several bad apples participated in data mining while falsely advertising as a VPN service.
However, in the last couple of years, a new practice emerged: independent auditing. This proved to be an efficient way for VPN service providers to test their security features, as well as provide their customers with more than just promises. Brands like ExpressVPN, NordVPN, TunnelBear, and others, were able to defend their statements with rock-solid facts.
Let’s dive in to see how all this started and what was done in a few years.
TunnelBear is the first VPN provider to submit their product to the test willingly. During 2016–2017 they worked alongside German cyber security experts Cure53 (this company name will pop-up frequently) and in August 2017 released a blog post about audit results, with the report itself following in a few months.
Overall, Cure53 found 2 “critical,” 5 “high,” 3 “medium,” 7 “low,” issues. This might look like a lot, but these tests are done to find vulnerabilities before something bad happens. Because Cure53 have been working with TunnelBear for over a year, they positively rated the overall security improvements over time. Also, they underlined that TunnelBear was fast and positive to react to vulnerabilities and improved their services ASAP.
Mullvad and Surfshark audits
Two lesser-known VPNs, Mullvad and Surfshark, followed with separate audits, although once again carried out by Cure53. Mullvad has been here for a while, on the other hand, Surfshark is just over a year old, but already crowned the best VPN newcomer of 2019.
Regarding Mullvad, seven issues were discovered, one rated “critical” and another rated “high.” The results were positive. However, Cure53 underlined that they checked only the front-end side of the service for security issues. Meaning this report doesn’t cover the logging and privacy parts. Still, Mullvad users should be satisfied because their service has been checked for front-end security issues and returned a satisfactory result.
Surfshark went through code audit and penetration tests of their Chrome and Firefox web extensions. to quote the report, “as the extremely low number of findings and their limited implications clearly indicate,
the results of this Cure53 assessment of the Surfshark VPN extensions position the product in a very good light.” It looks like the market newcomers took their service seriously and managed to launch a new high-quality VPN with as little security issues as possible.
ExpressVPN and NordVPN audits
After the first audits came out, two VPN market giants decided to follow. For one week in October 2018, four Cure53 members assessed ExpressVPN security and privacy extensions and on November came back to verify that the issues have been fixed. All in all, they uncovered eight security issues, none of which were rated worse than of “medium” level. All of the uncovered problems have been fixed, and, as expected, ExpressVPN received a positive review.
NordVPN chose a different audit company and submitted themselves to Switz cyber security experts PricewaterhouseCoopers. I have elaborated in-depth on their audit in my previous article, but to summarize shortly, NordVPN chose to prove they keep no-logs. Auditors evaluated their server back-end configurations and revealed that NordVPN does not hold any more logs than necessary to maintain their service. Nothing out of the ordinary has been found, and they were given a positive review of their services.
All in all, major and ambitious VPN providers one after another are checking their services for potential vulnerabilities, and these audits look to be an effective way to back-up the security and privacy claim these companies make. There are lots of VPN providers out there, and the number is growing, and audits may become the new consumer standard for choosing the best provider.