Lightway, ExpressVPN's open source protocol

Some days ago ExpressVPN unveiled the open source implementation of the Lightway protocol, which is designed to achieve minimum connection setup times while maintaining high levels of security and reliability. The code is written in C and is distributed under the GPLv2 license.

The implementation it is very compact and fits in two thousand lines of code, In addition, support for Linux, Windows, macOS, iOS, Android platforms, routers (Asus, Netgear, Linksys) and browsers has been declared.

About Lightway

The Lightway Code uses validated cryptographic functionsready-to-use s provided by the wolfSSL library that it is already used in FIPS 140-2 certified solutions.

In normal mode, the protocol uses UDP for data transmission and DTLS to create an encrypted communication channel. As an option to ensure operation on unreliable or limited UDP networks, the server provides a more reliable, but slower, transmission mode that allows data transfer over TCP and TLSv1.3.

Over the past year, our users have been able to experience how fast their connections are with Lightway, how fast they can get a VPN connection, often in a fraction of a second, and how reliable their connections are, even when they change. networks. Lightway is yet another reason, along with the advanced bandwidth and server infrastructure we have built, we can provide the best VPN service for our users.

And now, anyone can see for themselves what is included in Lightway's core code, as well as read an independent audit of Lightway's security by cybersecurity firm Cure53.

Testing by ExpressVPN has shown that compared to the older protocol (ExpressVPN supports L2TP / IPSec, OpenVPN, IKEv2, PPTP, and SSTP, but does not detail what was done in comparison), the transition to Lightway reduced the time of call setup an average of 2,5 times (in more than half of the cases, the communication channel is created in less than a second).

The new protocol also reduced the number of disconnections in unreliable mobile networks with communication quality problems by 40%.

On the part of safety of the implementation we can see in the announcement that is mentioned that is confirmed by the result of an independent audit carried out by Cure53, which at one point conducted audits of NTPsec, SecureDrop, Cryptocat, F-Droid, and Dovecot.

The audit involved verifying the source code and included tests to identify potential vulnerabilities (issues related to cryptography were not considered).

En general, the quality of the code was rated high, But nevertheless, the audit revealed three vulnerabilities that can lead to denial of service and one vulnerability that allows the protocol to be used as a traffic amplifier during DDoS attacks.

The reported issues have now been fixed and feedback on code enhancement has been taken into account. The audit also focused on known vulnerabilities and issues in involved third-party components, such as libdnet, WolfSSL, Unity, Libuv, and lua-crypt. Most of the issues are minor, with the exception of MITM in WolfSSL (CVE-2021-3336).

Deployment development protocol reference will take place on GitHub with the provision of the opportunity to participate in the development of community representatives (for the transfer of changes, they are required to sign a CLA-agreement on the transfer of ownership of rights to the code).

As well other VPN providers are invited to cooperate, since they can use the proposed protocol without restrictions. Mounting requires the use of the Earthly and Ceedling mounting systems. The deployment is framed as a library that you can use to integrate VPN client and server functionality into your applications.

Finally, if you are interested in knowing more about it of this implementation, you can check the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.