Today's best VPNs are a fiercely competitive bunch, always trying to offer something that the rest of the market doesn't.
ExpressVPN takes an unconventional approach to the competition. It doesn't try to outdo the others with the flashiest most jam-packed apps. Instead, ExpressVPN usually tries to push the bar with cutting-edge developments in VPN security.
The newest of these is dedicated IP, which combines cryptographically-backed tokens with a unique semi-public payment architecture to anonymize your purchase of the service and retain your anonymity.
Dedicated IPs: the pros and cons
Before we dive into the technical details, let’s review the basics of dedicated IPs.
When you use a VPN, you're assigned an IP address that other users are also attached to at the same time. It's the default. IP addresses are expensive, so VPN providers make us share to cut down on costs – but there are so privacy benefits, too.
Interested in the differences between shared and static IP addresses? Head on over to our detailed guide to dedicated IPs.
Because multiple people are sharing the same address, a shared IP makes it harder to definitively correlate traffic to a single user.
On the other hand, a dedicated IP is for you and you alone, and uniquely identifies you as the only user of that IP. It's a double-edged sword. They reduce the anonymity inherent to VPNs, for a start, making it even more important to ensure there’s no link between the purchased IP and your real details.
Dedicated IPs are invaluable in certain use cases. Many enterprise systems support IP whitelisting as part of their multi-factor authentication – like VPN access to internal networks. Using dynamic or shared IPs for this whitelisting is completely unsuitable, as it goes against the point of only allowing specific users access to a resource.
Using a shared IP makes you more likely to encounter CAPTCHA challenges and anti-bot checks, however. Dedicated IPs solve this issue by ensuring only one user is associated with the IP. This also makes it easier to access sites that use IPs to ban frequent troublemakers (like Wikipedia).
What makes ExpressVPN different?
ExpressVPN’s dedicated IP system is an innovative blend of authentication systems, cryptographic attestation, and public trust infrastructure.
It allows you to purchase a dedicated IP anonymously while also managing multiple dedicated IPs across devices, effortlessly.
In a nutshell, when you buy a dedicated IP from ExpressVPN you’re given an authentication token that is unique to your account. It confirms that you have an active subscription – but not the IP associated with it.
To generate the rest of the tokens required to access a specific dedicated IP, your client app has to submit it to ExpressVPN’s authorization servers. Once that's done, you'll have your anonymous DIP “tickets” which can be used to enroll multiple ExpressVPN-enabled devices on the same dedicated IP.
The issue is that if there’s any correlation between the subscriber ID that uniquely identifies you and the access token that lets you use a dedicated IP, your internet traffic is essentially being “logged”.
This is why your subscriber ID and the dedicated IP access token are separate entities and have to remain separate throughout the process. Otherwise, a rogue ExpressVPN employee or a law enforcement officer with access to ExpressVPN’s servers would be able to link your web traffic to your real identity.
This isn’t ideal, so ExpressVPN built its backend according to a strict model to solve the problem.
In this model, only trusted devices can access the subscription ID token and the dedicated IP token simultaneously to verify eligibility.
ExpressVPN defines a “trusted” device as one that the end user can either control themselves (such as the VPN client) or one they can verify is running exactly the code that ExpressVPN claims is running.
ExpressVPN can’t trust the client to carry out all of the eligibility requirements, however, as an attacker could edit the client to gain access to dedicated IPs.
This poses a question that underpins the entirety of its architecture: How do you verify someone’s eligibility to use a service in a way that’s both private and trustworthy for both parties?
The cornerstone
This is where Amazon’s AWS Nitro Enclaves come into play.
These servers are the lynchpin that holds the entire model together. Nitro Enclaves are virtual machines designed to run in a completely isolated environment.
That means no network access, no permanent storage, and no communication with outside devices other than by a strictly defined API. It’s impossible to peek inside, making them great for the use case we’re looking at.
Each Nitro Enclave has a public interface that allows anyone to query the server and receive certification that the enclave is running a particular software image.
All ExpressVPN has to do is publish the open source for these servers, and ta-da! You now have a trusted device that can prove eligibility privately and securely.
You know exactly what code is running on these servers, and you know an employee can’t read what’s going on inside.
The rest of the authentication process isn’t terribly interesting unless you’re a stickler for the nitty-gritty, with one exception.
ExpressVPN uses a blinded token system to prove your initial purchase of a subscription without tying it to your ExpressVPN ID.
This is a cryptographic scheme where you can submit a token without the recipient being able to read any identifying details about it – other than the fact it’s valid.
The recipient can then sign the token to say they’ve received it, and it’s valid in the future. Once it’s returned to you, you can use it as your signed proof of purchase without worrying about it being tied to your account ID.
What's next?
There’s clearly a need for trustworthy computing where all participants don’t just agree on the outputs but also on the methods used to create those outputs.
Leveraging Nitro Enclaves solves this issue for ExpressVPN without the need for expensive and energy-hungry blockchain technology – which has often been the sticking point for distributed VPNs.
Whether you're new to VPNs, introducing them to a friend, or just want a super-sleek UI, check out our guide to today's best VPNs for beginners.
Is this engineering overkill? It depends on your perspective. As I’ve said before, other providers such as Private Internet Access already implement a rudimentary token-based dedicated IP system. However, where ExpressVPN is truly innovating is in marrying high-tech privacy guarantees with a simplified user experience.
Significant work has been put into this solution to allow users to claim a refund on a dedicated IP subscription. Reading through the white paper, it would've been far simpler for ExpressVPN to implement a “fire-and-forget” style of token and simply say that all purchases are final.
Lost your authentication token? You’re out of luck. Instead, it's gone the extra mile to solve a hard privacy problem in a way that doesn’t inconvenience the average user, allowing the dedicated IP to go unused for up to 60 days and letting support staff reassign a new IP if you lose your initial access tokens.
There are some outstanding issues with the implementation, of course. ExpressVPN admits that an internal attacker with a sufficiently wide view of its infrastructure could potentially carry out a timing correlation attack (by observing when certain internal metrics increase and correlating that with the assignment of a new dedicated IP).
However, ExpressVPN also proposed measures to minimize the success of such an attack such as assignment delays and multi-hop. After all, it's not our top-rated secure VPN for nothing.