This post was originally published on April 17, 2019.
At ExpressVPN, we know users count on us to protect their privacy and security, and we take that responsibility seriously. That’s why we never collect any activity or connection logs and why we engineered our systems to ensure sensitive information never touches the hard drive. But now, we’re taking it one (huge) step further—we’re cutting the hard drive out of the picture entirely.
Hard drives represented security risks, so we asked: Why use them?
With our industry-first TrustedServer technology, our VPN servers run only on volatile memory (RAM), not on hard drives. Since RAM requires power to store data, this guarantees that all information on a server is wiped every time it is powered off and on again.
In contrast, the traditional and most common way of running servers relies very much on hard drives, which retain all data until they are erased and written over, a painstaking and error-prone process. This increases the risk that servers could inadvertently contain sensitive user information. If someone were to hack or seize the server, they could gain access to this data. Even worse, hackers who do find their way in might be able to install a backdoor that remains indefinitely.
As Bruce Schneier has said, “data is a toxic asset,” and “it continues to be toxic as long as it sits in a company’s computers and networks.”
ExpressVPN TrustedServer technology addresses those security threats by making sure that absolutely nothing—neither information nor intruders—can remain on a server when it is rebooted.
Traditional server administration also posed security risks, so we reimagined it
TrustedServer introduces another key innovation that ensures that all our VPN servers are running the same, most up-to-date software and configuration. Each time a server powers up, it loads the latest read-only image containing the entire software stack, operating system (OS) and all. This is similar to how the “Tails” operating system boots itself. In our case, the image is also cryptographically signed by ExpressVPN, and servers will not operate if that signature isn’t valid.
This gives us confidence that each and every one of our 3,000+ servers worldwide is running exactly the same code—with the right patches and configuration for optimum security and performance. The more software consistency there is across a network, the less likely that there are vulnerabilities or misconfigurations, and the more sure we can be that the software that we audit and test is actually what’s running on all servers.
In contrast, the traditional approach to server administration is to install the OS and software when the server is first set up, and then install updates and make configurations to that OS and software over time. It might be years until a server is wiped and the OS re-installed.
With traditional server administration, every incremental update that is applied one by one across thousands of servers is an opportunity for differences among them to arise, like tiny evolutionary mutations across generations. The more servers a company has, and the more time passes, the less confident that company can be that every single server is running the exact same code and configured the same way. As a result, a server that was set up years ago might be running software in an unexpected way that’s dangerously different from what the company’s engineers are testing or auditing today.
TrustedServer means that ExpressVPN is able to have a high level of confidence that we know exactly what’s running on each of our servers, and that the OS is effectively “reinstalled” with every single reboot—dramatically minimizing security risks.
See Destin Sandlin of popular YouTube channel Smarter Every Day explain the privacy and security benefits of TrustedServer in his own words:
Like containerization, but for the entire software stack
For those of you who are familiar with containerization, the idea of loading an image onto a server for easy and consistent deployment might sound familiar. The key difference here is that our TrustedServer technology enables the entire software stack—OS on up—to be included in this image. The image is loaded on boot and runs on bare metal; there’s no separate host OS, VM, hypervisor, or container engine that could be left unpatched, misconfigured, or vulnerable to hackers.
ExpressVPN developed this approach in-house, and we’re not aware of any other company (including those outside of the VPN industry) that’s doing this today. Other containers described as “bare-metal” typically still run on a host OS. We look forward to sharing more about how we’ve implemented it so that other companies and industries, along with the people they serve, can benefit.
Learn more about our TrustedServer technology
TrustedServer represents a major leap in protecting user privacy and security, and we’ll be sharing additional explainers, including more technical content, in the coming weeks. Stay tuned for more information about how this technology could fundamentally reshape how servers operate.
Comments
“we’ll be sharing additional explainers, including more technical content, in the coming weeks”. – 2019-12-11
yes, I want free internet my company, online earning Sdn bhd. (it’s A non-profit organization) diaster & human right solution funding!
Wow it so nice to use but how to this if I have no load how to get a free internet
Why does my Express VPN keep dropping out..its very upsetting as this is business a/c. Thanks J King mgr
Sorry to hear that, John. Please contact out Support Team and they will get it resolved ASAP.
Johnny 5, did you die? Did you pass away?
Why you don’t answer to Patrick Cavyell.
He’s worries and observations are right.
I would like to hear also the answer and to propose, that you may be, you can make from the begin an browser and be the first vpn company with your own browser.
With this way, you can eliminate so many as possible threats you can for the privacy for your clients.
Thank you.
One very very happy client of express vpn!
Good, no-nonsense, non-techie information. It increases my comfort level to know you’re not just sitting on your laurels. Look, you’re not a cheap VPN. But, with info like this, it makes me realize I’m getting value for money.
Hi Henry, sorry to hear this. Please contact our Support Team and they will help you get it sorted.
My VPN has suddenly started switching itself off and on rapidly not allowing me to connect to the Internet
Hi Mark, sorry to hear this. Please contact our Support Team and they will sort it for you.
My thinking is that Express vpn is headed in the right direction as I see privacy becoming more and more of a concern as people are seeing just how unethical some of the companies are getting in their data collection practices. I believe there will be more apps and programs developed to protect privacy because there is no one way to keep your privacy. Vpns are good but just by theirself do not keep you anonymous, Google and some others are identifying people fairly accurately without an IP address being used. AI is to the point where an individual can be identified just by browsing habits if there is enough data points known. Individual computers used are even easier too identify much like a fingerprint since it is likely that no two computers are exactly alike. I think that as long as express is honest and working on this new privacy concern, and stay off the slippery slope of stealing data and using customers as the product then you guys will continue to grow.
And how often is a server restarted?
Hi Steve, we reboot on a regular basis. This is to allow for updates and also to ensure that if a particular server does have a problem, it won’t have it for long—as the reboot will clear it all out.
Can you specify what “regular basis” means? How often?
Has TrustedServer technology been implemented into the VPN service already?
It sure has.