ExpressVPN 的專用 IP 系統：深入探討尖端 VPN 安全性

當今最好的 VPN 競爭非常激烈，總是試圖提供市場上其他產品所沒有的東西。 ExpressVPN採取了非常規的競爭方式。

ExpressVPN is renowned for pushing the boundaries of VPN security with cutting-edge innovations. Its latest development is dedicated IP, a service that combines cryptographically-backed tokens with a unique semi-public payment architecture to safeguard your purchase and maintain anonymity.

ExpressVPN 以透過尖端創新突破 VPN 安全界限而聞名。其最新開發是專用IP，這是一種將加密支援的代幣與獨特的半公共支付架構相結合的服務，以保護您的購買並保持匿名。

Dedicated IPs: Exploring the Benefits and Drawbacks

專用 IP：探索優點和缺點

Before delving into the technical aspects, let's establish the fundamentals of dedicated IPs.

在深入研究技術方面之前，讓我們先了解專用 IP 的基礎知識。

Typically, when using a VPN, you share an IP address with other users simultaneously. This practice, employed by default, aims to reduce costs for VPN providers since IP addresses are a valuable resource – and it also offers some privacy advantages.

通常，使用 VPN 時，您會同時與其他使用者共用 IP 位址。預設採用的這種做法旨在降低 VPN 提供者的成本，因為 IP 位址是寶貴的資源，而且它還提供了一些隱私優勢。

Interested in the differences between shared and static IP addresses? Head on over to our detailed guide to dedicated IPs.

對共享 IP 位址和靜態 IP 位址之間的差異感興趣嗎？請參閱我們的專用 IP 詳細指南。

Multiple users sharing the same address enhances privacy by making it challenging to definitively attribute traffic to a specific individual.

多個用戶共享相同地址，很難明確地將流量歸因於特定個人，從而增強了隱私性。

In contrast, a dedicated IP is assigned exclusively to you, uniquely identifying you as the sole user of that IP. This approach presents both advantages and disadvantages.

相較之下，專用 IP 專門指派給您，唯一地將您標識為該 IP 的唯一使用者。這種方法既有優點也有缺點。

Dedicated IPs inherently reduce the anonymity provided by VPNs, highlighting the crucial need to ensure there's no link between the purchased IP and your real details.

專用 IP 本質上會降低 VPN 提供的匿名性，這凸顯了確保購買的 IP 與您的真實詳細資訊之間沒有聯繫的關鍵需求。

However, dedicated IPs are invaluable in specific use cases. Many enterprise systems, such as VPN access to internal networks, incorporate IP whitelisting as part of their multi-factor authentication. Utilizing dynamic or shared IPs for this purpose is unsuitable as it goes against the intended goal of restricting access to specific users.

然而，專用 IP 在特定用例中非常寶貴。許多企業系統（例如對內部網路的 VPN 存取）將 IP 白名單作為其多因素身份驗證的一部分。為此目的使用動態或共享 IP 是不合適的，因為它違背了限制特定使用者存取的預期目標。

Moreover, shared IPs increase the likelihood of encountering CAPTCHA challenges and anti-bot checks. Dedicated IPs resolve this issue by ensuring only one user is associated with the IP. This also simplifies accessing sites that ban frequent troublemakers (like Wikipedia) by using IPs.

此外，共享 IP 增加了遇到驗證碼挑戰和反機器人檢查的可能性。專用 IP 透過確保只有一個使用者與該 IP 關聯來解決此問題。這也簡化了使用 IP 來存取那些禁止經常製造麻煩的網站（如維基百科）的過程。

What Sets ExpressVPN's Approach Apart?

ExpressVPN 的方法有何獨特之處？

ExpressVPN's dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.

ExpressVPN 的專用 IP 系統是身分驗證系統、加密證明和公共信任基礎架構的創新組合。

It enables you to purchase a dedicated IP anonymously while effortlessly managing multiple dedicated IPs across devices.

它使您能夠匿名購買專用 IP，同時輕鬆管理跨裝置的多個專用 IP。

Essentially, when you purchase a dedicated IP from ExpressVPN, you receive an authentication token that's unique to your account. This token serves to verify that you have an active subscription – but not the IP associated with it.

本質上，當您從 ExpressVPN 購買專用 IP 時，您會收到帳戶獨有的身份驗證令牌。此令牌用於驗證您是否具有有效的訂閱，但不是與其關聯的 IP。

To generate the remaining tokens required to access a specific dedicated IP, your client app submits it to ExpressVPN's authorization servers. Once this step is complete, you obtain your anonymous DIP “tickets” which can be used to enroll multiple ExpressVPN-enabled devices on the same dedicated IP.

若要產生存取特定專用 IP 所需的剩餘令牌，您的用戶端應用程式會將其提交至 ExpressVPN 的授權伺服器。完成此步驟後，您將獲得匿名 DIP“門票”，可用於在同一專用 IP 上註冊多個支援 ExpressVPN 的裝置。

ExpressVPN's dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.

ExpressVPN 的專用 IP 系統是身分驗證系統、加密證明和公共信任基礎架構的創新組合。

The critical aspect to consider is that if there's any correlation between the subscriber ID that uniquely identifies you and the access token that permits you to use a dedicated IP, your internet traffic is essentially being “logged”.

需要考慮的關鍵方面是，如果唯一標識您的訂戶 ID 與允許您使用專用 IP 的存取權杖之間存在任何關聯，則您的網路流量本質上已被「記錄」。

This is why your subscriber ID and the dedicated IP access token are separate entities and must remain distinct throughout the process. Otherwise, a rogue ExpressVPN employee or a law enforcement officer with access to ExpressVPN's servers would be able to link your web traffic to your real identity.

這就是為什麼您的訂閱者 ID 和專用 IP 存取權杖是單獨的實體，並且在整個過程中必須保持不同。否則，流氓 ExpressVPN 員工或有權存取 ExpressVPN 伺服器的執法人員將能夠將您的網路流量與您的真實身分關聯起來。

To address this concern and ensure privacy, ExpressVPN has meticulously designed its backend according to a strict model.

為了解決這個問題並確保隱私，ExpressVPN按照嚴格的模型精心設計了其後端。

In this model, only trusted devices can simultaneously access the subscription ID token and the dedicated IP token to verify eligibility.

在此模型中，只有受信任的裝置才能同時存取訂閱 ID 令牌和專用 IP 令牌以驗證資格。

ExpressVPN defines a “trusted” device as one that the end user can either control themselves (such as the VPN client) or one they can verify is running exactly the code that ExpressVPN claims is running.

ExpressVPN 將「可信任」裝置定義為最終使用者可以自行控制的裝置（例如 VPN 用戶端），或者他們可以驗證是否執行與 ExpressVPN 聲稱正在執行的程式碼完全相同的裝置。

However, ExpressVPN cannot fully trust the client to carry out all of the eligibility requirements, as an attacker could potentially edit the client to gain access to dedicated IPs.

然而，ExpressVPN 無法完全信任用戶端能夠滿足所有資格要求，因為攻擊者可能會編輯用戶端以獲得對專用 IP 的存取權。

This poses a fundamental question that underpins the entirety of its architecture: How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?

這就提出了一個支撐整個架構的基本問題：如何以雙方都私密且可信的方式驗證某人使用服務的資格？

The Cornerstone of Trustworthy Computing

可信賴運算的基石

This is where Amazon's AWS Nitro Enclaves come into play.

這就是亞馬遜的 AWS Nitro Enclaves 發揮作用的地方。

These servers are the lynchpin that holds the entire model together. Nitro Enclaves are virtual machines designed to run in a completely isolated environment.

這些伺服器是將整個模型結合在一起的關鍵。 Nitro Enclave 是設計用於在完全隔離的環境中運作的虛擬機器。

That means no network access, no permanent storage, and no communication with outside devices other than by a strictly defined API. It’s impossible to peek inside, making them great for the use case we’re looking at.

這意味著除了嚴格定義的 API 之外，沒有網路存取、沒有永久存儲，也不能與外部設備進行通訊。不可能窺視內部，這使得它們非常適合我們正在研究的用例。

How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?

如何以雙方都私密且可信的方式驗證某人使用服務的資格？

Each Nitro Enclave has a public interface that allows anyone to query the server and receive certification that the enclave is running a particular software image.

每個 Nitro Enclave 都有一個公共接口，允許任何人查詢伺服器並接收該 Enclave 正在運行特定軟體映像的認證。

All ExpressVPN has to do is publish the open source for these servers, and ta-da! You now have a trusted device that can prove eligibility privately and securely.

ExpressVPN 要做的就是發布這些伺服器的開源程式碼，然後就完成了！您現在擁有一台值得信賴的設備，可以私下安全地證明您的資格。

You know exactly what code is running on these servers, and you know an employee can’t read what’s going on inside.

您確切地知道這些伺服器上正在運行什麼程式碼，並且您知道員工無法讀取內部發生的情況。

The rest of the authentication process isn’t

身份驗證過程的其餘部分不是