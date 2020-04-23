Credit: ExpressVPN

It’s impressive how much ExpressVPN packs into its service. In addition to supporting the usual VPN connections across nearly 100 countries, ExpressVPN supports Smart DNS on consoles and set-top boxes–a great feature for Americans working abroad. It has a built-in speed test to help you make better decisions about which connections to use–if speed is your priority. It also works with Netflix in the U.S.—though you may need to try a few servers before it’ll take.

The company is also working on trust with diskless servers, and it underwent a security audit from PwC.

ExpressVPN is moving in the right direction, but how does it measure up overall?

ExpressVPN: Security, software, servers, and speed

ExpressVPN is based in the British Virgin Islands. The company says it’s doing this to remain outside of the “14 Eyes” group of countries that includes the United States, Canada, and the United Kingdom. The BVI also doesn’t have any data retention laws, and ExpressVPN supposedly cannot be compelled to produce customer records by countries such as the U.S. and the UK.

That said, we’re not fans of services with exotic headquarters—especially when most people are accessing U.S.-based mega services with them anyway. ExpressVPN doesn’t have a CEO or President that is publicly known, but Harold Li, who is the company Vice President, is based in Hong Kong.

ExpressVPN uses OpenVPN for its connections, SHA-256 for data authentication, and AES-256 for data encryption. The handshake uses 2048-bit RSA. Those with more up-to-date apps will be able to use AES-256-GCM instead of SHA-256. On Mac, OpenVPN also offers options to use IKEv2 or L2TP - IPSec. ExpressVPN briefly details the pros and cons of each protocol in the Preferences to help users make better decisions.

ExpressVPN is another VPN turning to servers without onboard storage. The company calls this feature TrustedServer. Instead of an operating system loading from a hard drive or SSD, these servers are usually started remotely, and the entire software stack loads into RAM.

IDG ExpressVPN’s country list.

The basic idea is that these servers can only keep a limited amount of information since everything is in RAM. Once the servers are restarted for maintenance or shut down, the data disappears. It’s not impossible to extract data from a RAM-only server, but it’s much harder and the amount of data retrieved would be limited compared to what could be on a hard drive or SSD.

The company also underwent an audit by PwC in June 2019. As a result, PwC found ExpressVPN was in compliance with its privacy policy. Similar to other VPN audits we’ve seen, only customers and press can see the full report, but it cannot be published. That’s not great, but it seems to be the standard.

There’s nothing stopping the company from changing the system once the auditors are gone, which is an inherent weakness in third-party auditing. Like anything with VPNs it’s all about trusting that the company won’t do that. We’d really like to see a situation where auditors were paid to come in at a time of their choosing for surprise inspections, but the cost likely makes that prohibitive.

The ExpressVPN software is very easy to use and has some nice features for basic and advanced users alike. Once connected to the VPN, ExpressVPN displays five shortcut spaces to quickly access favorite programs or websites commonly used over the VPN.

IDG ExpressVPN’s shortcuts settings.

ExpressVPN fills up four of the spaces automatically with links to Safari, Mail, Wikipedia, and Google. All of them can be removed and/or changed by going to Preferences > Shortcuts.

As we’ve already covered, power users can change the VPN protocol to their liking. There’s also a speed test that checks the responsiveness of each VPN location. The test results include the latency in milliseconds, the download speed in kilobits per second (kbps), and an overall speed index. The index is based on latency and download speed. In the case of the index and download speed, the higher the number, the better. For latency, a lower number is better. The test also lets you rank one of the categories from lower to higher or vice versa the same way Finder can order files by name, date, size, or type.

Click on the hamburger menu icon and go to Help & Support to also access an IP address checker, DNS leak test, and a WebRTC leak test. All of these are helpful tools for a quick security check. There’s also an internet kill switch, which is on by default.

ExpressVPN has 95 country options, and its network includes more than three thousand servers.

IDG ExpressVPN’s built-in speed test.

In our speed tests, ExpressVPN was outstanding. After three days of tests at different times of the day, ExpressVPN maintained nearly 44 percent of the base speed across five country locations. That is the best result we’ve had in the last two years. In other words, we have a new speed champion.

Pricing

ExpressVPN charges a flat $100 per year, $10 a month for a six-month term, or $13 on a month-to-month basis. For that money, ExpressVPN provides access to all its features, country locations, and five simultaneous connections.

Bottom line

ExpressVPN’s pricing is a little high, but it does offer a lot for that money. This is not the cheapest VPN out there, and anyone interested in simply securing their connection when out in public should look elsewhere. Anyone planning on using all the features, including Smart DNS for their set-top box, Netflix streaming, and securing over open Wi-Fi, then ExpressVPN is worth it.

We’d much prefer that ExpressVPN be public about its management. For that reason, we can’t recommend it for people looking for the best possible privacy and anonymity. But if you want a service that works well and reliably, and can be used across multiple devices, ExpressVPN is an excellent choice.

Editor’s note: Because online services are often iterative, gaining new features and performance improvements over time, this review is subject to change in order to accurately reflect the current state of the service. Any changes to text or our final review verdict will be noted at the top of this article.