ExpressVPN’s Encryption is Weak, Says Marc Bevand

December 15, 2015

Marc Bevand, the former Google information security engineer, has raised some questions regarding the quality of encryption provided by VPN service.

Last week, he was in China and he experimented with the VPN services to access internet sites blocked by the Great Firewall. There are many people in China who opt for VPN services to browse sites with English-language which are blocked by the government.

According to the VPN services, they not only help you to access the blocked sites, but also provide protection for your internet connection by encrypting the data sent and received by you. So you will remain protected from snooping by authorities.

Bevand found that when he used ExpressVPN, the most popular VPN service in the country, though it helped access the site, the 1024-bit RSA key provided by the company to encrypt the connection was not strong enough to protect his connection from snooping by the Chinese government. He added that though snooping requires costly computing equipment the government could easily do decrypting the traffic by the VPN service as they are using only 1024 bits key.

Bevand feels that the VPN services should be providing a key with minimum size of 2048 bits for data encryption

ExpressVPN, however, explained through the blog post, that they will be using the 2048-bit keys within the next few weeks.