You have probably heard about the recently discovered vulnerability (referred to as the Heartbleed bug) within the OpenSSL cryptographic software library, a worldwide standard used by most web servers. Learn about Heartbleed vulnerability.
What exactly is Heartbleed vulnerability and why is everybody so worried?
Watch the below video made by Zulfikar Ramzan, CTO of cloud security company Elastica.
To sum up, the OpenSSL protocol that secures a lot of websites can be tricked to provide data (personal info, credit card info, passwords, encryption keys) that should otherwise not be accessible. Further, if a hacker gets the encryption keys of a particular site, he/she would be able, at least in theory, to access all the secured info passed to that site. Just imagine what would that means if the target is a popular shopping site.
Should I change my passwords?
Back to the subject title: should you change your passwords and, more specific, the password to your VPN account or password used to secure the VPN connections.
As far as I understand, the chances that your passwords be compromised are slim, but “better safe than sorry.” It is possible that your VPN provider uses OpenSSL to secure its connections and at some point, a hacker might have access to specific private data including your password. As I said, it is not very likely, but you should change the password or passwords anyway. In case you have distinct passwords for the Client Area and the VPN connection you should replace them both.
VPN Providers Response to the Heartbleed Vulnerability
Heartbleed Reports – You probably heard about the recently discovered Heartbleed problem. If you are using a VPN to secure your internet connection and unblock restricted websites, you probably wonder whether your VPN provider was affected. VPN services that implement PFS (Perfect Forward Secrecy) may not be affected.
Find out how VPN providers reacted to this crisis and how they are handling it.
April 8, 2014, Heartbleed Reports
AirVPN replaced on every part of the infrastructure the vulnerable OpenSSL versions and updated the internal SSL certificates. The official announcement is here.
BolehVPN patched the GUI versions and updated the BolehVPN-GUI to remove the threat. Read more here.
VikingVPN performed emergency patching to all VPN servers. More details here.
12vpn tweeted: “We’ve patched our web servers already. The VPN methods we use are not affected.“
GetCloak: “Key portions of the Cloak service were vulnerable to this bug. We have now patched all of our systems”.
iVPN tweeted: “We’ve patched OpenSSL and reissued new 4096 bit RSA certificates across all servers.” – Recommended reading: Why is OpenVPN handshake key important?
April 9, 2014, Heartbleed Reports
5% of the TorGuard server clusters were found to be using the compromised version of OpenSSL. Read more here.
Identity Cloaker is safe. See more here.
SecureTunnel tweeted: “VPN servers & software are being evaluated and up updated where needed.”
HideMyAss site looks vulnerable.
Mulvad advises you to upgrade to the new client immediately.
LiquidVPN states that: “All of our OpenVPN servers have been patched and new private keys generated.“
TunnelBear on Twitter: “TunnelBear won’t let your #Heartbleed, we’ve updated OpenSSL, revoked and replaced our TLS certificates.”
IPVanish announced that they were not affected by the Heartbleed exploit. You may find more details here.
VyprVPN stated that it used OpenSSL 1.0.1e, which is vulnerable to the Heartbleed Bug, for OpenVPN connections. Hence, they are preparing updated versions of the apps that use non-vulnerable versions of OpenSSL.
April 10, 2014, Heartbleed Reports
PrivateInternetAcces announced that they had applied a patch to their servers in order update the OpenSSL. Proceed for more details here.
ibVPN updated its server network yesterday. However, the website is not affected. Find more info here.
blackVPN on Reddit: “Unfortunately we did find some servers that were vulnerable, so we updated all servers on April 8th as soon as we find out about the bug.“
HideIpVPN announced that is not affected by Heartbleed vulnerability.
StrongVPN patched all of our OpenVPN servers with an updated version of OpenSSL that fixed this vulnerability. Find more details here.
April 11, 2014, Heartbleed Reports
PureVPN remains secured from Heartbleed bug. Find more details here.