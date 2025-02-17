ExpressVPN has announced a major change to its Lightway protocol, recoding the protocol from C to Rust in a bid to revolutionize the VPN industry and create a "more secure and high-performing" Lightway for users.

Modernizing the protocol to the Rust programming language while keeping the code open source ensures anyone with the right knowledge can see that Lightway works as it should and retains security. Two independent auditors, Cure53 and Praetorian, have already confirmed the upgraded service is private and secure.

The provider's built-in VPN router, ExpressVPN Aircove, is the first platform supporting the new Lightway. In the coming months, the provider will roll out the upgrade across all other devices, with its Android VPN expected to be updated by the end of March.

A new VPN protocol standard

When ExpressVPN built and launched Lightway in 2020, the provider designed it to deliver speedy, secure, and more reliable connections. Now, Lightway's Rust upgrade aims to continue that promise, posing the foundation "for the future of VPN connectivity."

"At ExpressVPN, we innovate to solve the challenges of tomorrow," said Pete Membrey, Chief Research Officer at ExpressVPN. "With Rust widely recognized as the high-performing, secure, and reliable language, it was a natural choice for evolving Lightway."

Rust, the provider explains, essentially brings three key advantages – better security, performance, and ease of extension.

Rust uses built-in memory safety that supposedly eliminates the risk of some common vulnerabilities and attack vectors plaguing its C counterparts. Rust's code is even simpler than C, too – making the VPN connection lighter, faster, and less power-consuming.

Lastly, Rust's modern architecture should also ensure easier implementation of Ligthway's security fixes and new features. This is especially advantageous within the post-quantum VPN race.

(Image credit: ExpressVPN)

As mentioned, two independent audits – carried out by cybersecurity firms Cure53 and Praetorian – have already taken apart the upgraded Lightway and didn't find any major vulnerabilities.

Specifically, Praetorian reported only two low-risk findings and Cure53 five, with four classified as "miscellaneous" carrying low exploitation potential. After that, ExpressVPN fixed all these findings, as new auditors' validation could confirm.

"Investing in dual audits from two independent firms was an important decision we made to gain diverse expert perspectives on Lightway’s new code base,” said Aaron Engel, Chief Information Security Officer at ExpressVPN.

ExpressVPN's commitment to transparency doesn't end here, though. Everyone can view Lightway's source code by heading to ExpressVPN's GitHub page.

Challenging the industry

Lightway 2.0 promises to set a new standard for future VPN protocols where security, performance, and efficiency go hand in hand.

Yet, ExpressVPN's goal isn't just making its product more secure, reliable, and faster – the provider now hopes the whole industry will follow suit, inviting everyone to test it out and, potentially, adapt it.

"Promoting digital rights is ultimately our main goal," said Director for Communication and Advocacy, Lauren Hendry Parsons, pointing out how Lightway in Rust could also be implemented on decentralized VPN solutions.

"We do hope that people [in the VPN industry] will see Lightway as a resourceful tool," added Chief Research Officer Membrey. "You have a post-quantum secure VPN that works really fast and could potentially be used in military settings as well.

"Our goal with Lightway is not only to serve the users of ExpressVPN but also to contribute its technology meaningfully to the VPN industry."