VikingVPN is currently doing emergency patching to all VPN servers in order to close a new vulnerability in OpenSSL named Heartbleed. This is a particularly nasty bug in OpenSSL 1.0.1 that would allow an attacker to invisibly read small sections of secure data in memory due to a faulty software pointer.
What we are doing:
Emergency patching OpenSSL on all VPN servers to close the security hole. We are also updating the hardened server that generates customer keys and certs, and regenerating server credentials appropriately.
How this impacts our users:
Our website does not use OpenSSL, and our root CA for the VPN was not exposed by this vulnerability. The impact to our users is far less serious than it could have been. Because of the settings that we use on our network, the problem was largely mitigated by our security model.
1) Because we use the tls-auth directive for the "HMAC Firewall" setting in OpenVPN, and we do not allow it to be disabled, there is no risk of a client-side data breach, even with a vulnerable client.
2) Because we use ephemeral keys and have implemented perfect forward secrecy with hourly changing keys, there is no risk of a client-side data breach of data by surveillance systems that may have stored encrypted data long-term (like the NSA's Prism or GCHQ's Tempora or FSB's Sorn). This vulnerability does not allow decryption of old data.
3) Because we use a mixed-vendor infrastructure (specifically to harden our network against a single point of failure) the man-in-middle / man-on-the-side attack is impossible.
What user action should be taken:
- If you have any apps that rely on OpenSSL, you'll want to upgrade to the latest version of OpenSSL as soon as possible. This vulnerability is going to get ugly fast, because it is very clear how the exploit works, and it is only a matter of time before an app is written specifically to exploit it.
- Although it is likely entirely unnecessary, the best step that our users can take right now would be to get a new set of keys and certs from our website. You can do this by signing in to the website, and visiting the profiles area. There you can generate a new set of config files that will contain entirely new keys and certs, and it will revoke all of the existing keys and certs for your account.
- A patch for the Windows OpenVPN Client has been issued that closes this vulnerability. You can download and install the latest version (2.3.3) here. OpenVPN 2.3.3 is going to be released Thursday April 10th, which will contain the same fix, plus additional security enhancements and features.
- A patch for Tunnelblick has been issued that closes this vulnerability. You can download and install the latest version (3.3.2) here.
- If you are using a non-windows client, OpenVPN does not have a built in OpenSSL library. You will just need to update the OpenSSL build to current via your repositories.
- If you are using the OpenVPN Connect app for Android or iOS, you are NOT vulnerable to Heartbleed. These apps use PolarSSL, not OpenSSL. You do not need to update your clients.
This article has been updated multiple times for clarity and accuracy.
Learn why Viking VPN is the Fastest VPN Service Provider.