Heartbleed Bug and VPN Providers
The Heartbleed bug has been all over the news this week and, if you’re using a VPN service, you’re probably wondering if it affects you. The answer is, maybe. It largely depends upon whether or not your VPN provider has patched their systems.
First, Check Your Provider
Some providers, such as AirVPN and OpenVPN responded to vulnerabilities on their systems by issuing patches very quickly. If your provider has done this, you’ll likely see an announcement on their website. They may also provide additional support, such as suggesting using a generic version of an OpenVPN client until theirs is patched.
Others were not affected by the vulnerability. IPVanish, for instance, published on its site that they had not implemented the vulnerable version of OpenSSL on their servers, so there was never any risk from Heartbleed for any of their customers.
If You See No Update
If your VPN provider has offered no information about the status of their servers and whether they have taken measures to secure themselves against this vulnerability, you should email your support or otherwise get in touch with them to find out what’s going on. You’re paying for the service, the service is privacy and you have a right to know whether your company has addressed the issue or if they weren’t affected at all.
Remember Your OS
If you happen to be using the Linux operating system, you’ll want to check your version of OpenSSL and, if needed, reinstall it to a patched version of the protocol. If you’re on Windows or Mac OS, you can download the newest version of OpenVPN from the development site.
If your provider uses ephemeral keys, it’s likely that they were not affected. You can usually find this out on their FAQ.
One area you may want to check is the website for your provider and your account. If the website happened to use a vulnerable version of Open SSL, there’s a chance that you could have been compromised. Wait until the site is patched and change your security credentials to be sure. Remember that the website for your provider will use separate security than their network, so the fact that their VPN servers were unaffected may not mean that the same is true of their website.
Keep an eye on the news regarding Heartbleed. The patches are rolling out, but be sure to verify that your provider is taking measures to close the security vulnerability.