ExpressVPN 的专用 IP 系统：深入探讨尖端 VPN 安全性

当今最好的 VPN 竞争非常激烈，总是试图提供市场上其他产品所没有的东西。 ExpressVPN采取了非常规的竞争方式。

ExpressVPN is renowned for pushing the boundaries of VPN security with cutting-edge innovations. Its latest development is dedicated IP, a service that combines cryptographically-backed tokens with a unique semi-public payment architecture to safeguard your purchase and maintain anonymity.

ExpressVPN 因通过尖端创新突破 VPN 安全界限而闻名。其最新开发是专用IP，这是一种将加密支持的代币与独特的半公共支付架构相结合的服务，以保护您的购买并保持匿名。

Dedicated IPs: Exploring the Benefits and Drawbacks

专用 IP：探索优点和缺点

Before delving into the technical aspects, let's establish the fundamentals of dedicated IPs.

在深入研究技术方面之前，让我们先了解一下专用 IP 的基础知识。

Typically, when using a VPN, you share an IP address with other users simultaneously. This practice, employed by default, aims to reduce costs for VPN providers since IP addresses are a valuable resource – and it also offers some privacy advantages.

通常，使用 VPN 时，您会同时与其他用户共享 IP 地址。默认情况下采用的这种做法旨在降低 VPN 提供商的成本，因为 IP 地址是宝贵的资源，而且它还提供了一些隐私优势。

Interested in the differences between shared and static IP addresses? Head on over to our detailed guide to dedicated IPs.

对共享 IP 地址和静态 IP 地址之间的区别感兴趣吗？请参阅我们的专用 IP 详细指南。

Multiple users sharing the same address enhances privacy by making it challenging to definitively attribute traffic to a specific individual.

多个用户共享同一地址，从而很难明确地将流量归因于特定个人，从而增强了隐私性。

In contrast, a dedicated IP is assigned exclusively to you, uniquely identifying you as the sole user of that IP. This approach presents both advantages and disadvantages.

相比之下，专用 IP 专门分配给您，唯一地将您标识为该 IP 的唯一用户。这种方法既有优点也有缺点。

Dedicated IPs inherently reduce the anonymity provided by VPNs, highlighting the crucial need to ensure there's no link between the purchased IP and your real details.

专用 IP 本质上会降低 VPN 提供的匿名性，这凸显了确保购买的 IP 与您的真实详细信息之间没有联系的关键需求。

However, dedicated IPs are invaluable in specific use cases. Many enterprise systems, such as VPN access to internal networks, incorporate IP whitelisting as part of their multi-factor authentication. Utilizing dynamic or shared IPs for this purpose is unsuitable as it goes against the intended goal of restricting access to specific users.

然而，专用 IP 在特定用例中非常宝贵。许多企业系统（例如对内部网络的 VPN 访问）将 IP 白名单作为其多因素身份验证的一部分。为此目的使用动态或共享 IP 是不合适的，因为它违背了限制特定用户访问的预期目标。

Moreover, shared IPs increase the likelihood of encountering CAPTCHA challenges and anti-bot checks. Dedicated IPs resolve this issue by ensuring only one user is associated with the IP. This also simplifies accessing sites that ban frequent troublemakers (like Wikipedia) by using IPs.

此外，共享 IP 增加了遇到验证码挑战和反机器人检查的可能性。专用 IP 通过确保只有一个用户与该 IP 关联来解决此问题。这也简化了使用 IP 来访问那些禁止经常制造麻烦的网站（如维基百科）的过程。

What Sets ExpressVPN's Approach Apart?

ExpressVPN 的方法有何独特之处？

ExpressVPN's dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.

ExpressVPN 的专用 IP 系统是身份验证系统、加密证明和公共信任基础设施的创新组合。

It enables you to purchase a dedicated IP anonymously while effortlessly managing multiple dedicated IPs across devices.

它使您能够匿名购买专用 IP，同时轻松管理跨设备的多个专用 IP。

Essentially, when you purchase a dedicated IP from ExpressVPN, you receive an authentication token that's unique to your account. This token serves to verify that you have an active subscription – but not the IP associated with it.

本质上，当您从 ExpressVPN 购买专用 IP 时，您会收到您帐户独有的身份验证令牌。此令牌用于验证您是否具有有效的订阅，但不是与其关联的 IP。

To generate the remaining tokens required to access a specific dedicated IP, your client app submits it to ExpressVPN's authorization servers. Once this step is complete, you obtain your anonymous DIP “tickets” which can be used to enroll multiple ExpressVPN-enabled devices on the same dedicated IP.

要生成访问特定专用 IP 所需的剩余令牌，您的客户端应用程序会将其提交到 ExpressVPN 的授权服务器。完成此步骤后，您将获得匿名 DIP“门票”，可用于在同一专用 IP 上注册多个支持 ExpressVPN 的设备。

ExpressVPN's dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.

ExpressVPN 的专用 IP 系统是身份验证系统、加密证明和公共信任基础设施的创新组合。

The critical aspect to consider is that if there's any correlation between the subscriber ID that uniquely identifies you and the access token that permits you to use a dedicated IP, your internet traffic is essentially being “logged”.

需要考虑的关键方面是，如果唯一标识您的订户 ID 与允许您使用专用 IP 的访问令牌之间存在任何关联，则您的互联网流量本质上已被“记录”。

This is why your subscriber ID and the dedicated IP access token are separate entities and must remain distinct throughout the process. Otherwise, a rogue ExpressVPN employee or a law enforcement officer with access to ExpressVPN's servers would be able to link your web traffic to your real identity.

这就是为什么您的订阅者 ID 和专用 IP 访问令牌是单独的实体，并且在整个过程中必须保持不同。否则，流氓 ExpressVPN 员工或有权访问 ExpressVPN 服务器的执法人员将能够将您的网络流量与您的真实身份关联起来。

To address this concern and ensure privacy, ExpressVPN has meticulously designed its backend according to a strict model.

为了解决这一问题并确保隐私，ExpressVPN按照严格的模型精心设计了其后端。

In this model, only trusted devices can simultaneously access the subscription ID token and the dedicated IP token to verify eligibility.

在此模型中，只有受信任的设备才能同时访问订阅 ID 令牌和专用 IP 令牌以验证资格。

ExpressVPN defines a “trusted” device as one that the end user can either control themselves (such as the VPN client) or one they can verify is running exactly the code that ExpressVPN claims is running.

ExpressVPN 将“可信”设备定义为最终用户可以自己控制的设备（例如 VPN 客户端），或者他们可以验证是否运行与 ExpressVPN 声称正在运行的代码完全相同的设备。

However, ExpressVPN cannot fully trust the client to carry out all of the eligibility requirements, as an attacker could potentially edit the client to gain access to dedicated IPs.

然而，ExpressVPN 无法完全信任客户端能够满足所有资格要求，因为攻击者可能会编辑客户端以获得对专用 IP 的访问权限。

This poses a fundamental question that underpins the entirety of its architecture: How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?

这就提出了一个支撑整个架构的基本问题：如何以双方都私密且可信的方式验证某人使用服务的资格？

The Cornerstone of Trustworthy Computing

可信计算的基石

This is where Amazon's AWS Nitro Enclaves come into play.

这就是亚马逊的 AWS Nitro Enclaves 发挥作用的地方。

These servers are the lynchpin that holds the entire model together. Nitro Enclaves are virtual machines designed to run in a completely isolated environment.

这些服务器是将整个模型结合在一起的关键。 Nitro Enclave 是设计用于在完全隔离的环境中运行的虚拟机。

That means no network access, no permanent storage, and no communication with outside devices other than by a strictly defined API. It’s impossible to peek inside, making them great for the use case we’re looking at.

这意味着没有网络访问，没有永久存储，并且除了通过严格定义的 API 之外无法与外部设备进行通信。不可能窥视内部，这使得它们非常适合我们正在研究的用例。

How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?

如何以双方都私密且可信的方式验证某人使用服务的资格？

Each Nitro Enclave has a public interface that allows anyone to query the server and receive certification that the enclave is running a particular software image.

每个 Nitro Enclave 都有一个公共接口，允许任何人查询服务器并接收该 Enclave 正在运行特定软件映像的认证。

All ExpressVPN has to do is publish the open source for these servers, and ta-da! You now have a trusted device that can prove eligibility privately and securely.

ExpressVPN 所要做的就是发布这些服务器的开源代码，然后就完成了！您现在拥有一台值得信赖的设备，可以私下安全地证明您的资格。

You know exactly what code is running on these servers, and you know an employee can’t read what’s going on inside.

您确切地知道这些服务器上正在运行什么代码，并且您知道员工无法读取内部发生的情况。

The rest of the authentication process isn’t

身份验证过程的其余部分不是