ExpressVPN's Dedicated IP System: A Deep Dive into Cutting-Edge VPN Security

Today's best VPNs are a fiercely competitive bunch, always trying to offer something that the rest of the market doesn't. ExpressVPN takes an unconventional approach to the competition.

ExpressVPN is renowned for pushing the boundaries of VPN security with cutting-edge innovations. Its latest development is dedicated IP, a service that combines cryptographically-backed tokens with a unique semi-public payment architecture to safeguard your purchase and maintain anonymity.

Dedicated IPs: Exploring the Benefits and Drawbacks

Before delving into the technical aspects, let's establish the fundamentals of dedicated IPs.

Typically, when using a VPN, you share an IP address with other users simultaneously. This practice, employed by default, aims to reduce costs for VPN providers since IP addresses are a valuable resource – and it also offers some privacy advantages.

Interested in the differences between shared and static IP addresses? Head on over to our detailed guide to dedicated IPs.

Multiple users sharing the same address enhances privacy by making it challenging to definitively attribute traffic to a specific individual.

In contrast, a dedicated IP is assigned exclusively to you, uniquely identifying you as the sole user of that IP. This approach presents both advantages and disadvantages.

Dedicated IPs inherently reduce the anonymity provided by VPNs, highlighting the crucial need to ensure there's no link between the purchased IP and your real details.

However, dedicated IPs are invaluable in specific use cases. Many enterprise systems, such as VPN access to internal networks, incorporate IP whitelisting as part of their multi-factor authentication. Utilizing dynamic or shared IPs for this purpose is unsuitable as it goes against the intended goal of restricting access to specific users.

Moreover, shared IPs increase the likelihood of encountering CAPTCHA challenges and anti-bot checks. Dedicated IPs resolve this issue by ensuring only one user is associated with the IP. This also simplifies accessing sites that ban frequent troublemakers (like Wikipedia) by using IPs.

What Sets ExpressVPN's Approach Apart?

ExpressVPN's dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.

It enables you to purchase a dedicated IP anonymously while effortlessly managing multiple dedicated IPs across devices.

Essentially, when you purchase a dedicated IP from ExpressVPN, you receive an authentication token that's unique to your account. This token serves to verify that you have an active subscription – but not the IP associated with it.

To generate the remaining tokens required to access a specific dedicated IP, your client app submits it to ExpressVPN's authorization servers. Once this step is complete, you obtain your anonymous DIP “tickets” which can be used to enroll multiple ExpressVPN-enabled devices on the same dedicated IP.

ExpressVPN's dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.

The critical aspect to consider is that if there's any correlation between the subscriber ID that uniquely identifies you and the access token that permits you to use a dedicated IP, your internet traffic is essentially being “logged”.

This is why your subscriber ID and the dedicated IP access token are separate entities and must remain distinct throughout the process. Otherwise, a rogue ExpressVPN employee or a law enforcement officer with access to ExpressVPN's servers would be able to link your web traffic to your real identity.

To address this concern and ensure privacy, ExpressVPN has meticulously designed its backend according to a strict model.

In this model, only trusted devices can simultaneously access the subscription ID token and the dedicated IP token to verify eligibility.

ExpressVPN defines a “trusted” device as one that the end user can either control themselves (such as the VPN client) or one they can verify is running exactly the code that ExpressVPN claims is running.

However, ExpressVPN cannot fully trust the client to carry out all of the eligibility requirements, as an attacker could potentially edit the client to gain access to dedicated IPs.

This poses a fundamental question that underpins the entirety of its architecture: How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?

The Cornerstone of Trustworthy Computing

This is where Amazon's AWS Nitro Enclaves come into play.

These servers are the lynchpin that holds the entire model together. Nitro Enclaves are virtual machines designed to run in a completely isolated environment.

That means no network access, no permanent storage, and no communication with outside devices other than by a strictly defined API. It’s impossible to peek inside, making them great for the use case we’re looking at.

How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?

Each Nitro Enclave has a public interface that allows anyone to query the server and receive certification that the enclave is running a particular software image.

All ExpressVPN has to do is publish the open source for these servers, and ta-da! You now have a trusted device that can prove eligibility privately and securely.

You know exactly what code is running on these servers, and you know an employee can’t read what’s going on inside.

The rest of the authentication process isn’t