VPN Users Still Vulnerable to Heartbleed Attack
While Heartbleed has been mostly taken care of by the websites affected, the security hole still may be an issue for those on VPN services. Most VPN service providers have already put up a notice letting their users know whether or not they were affected. If they were, most of those providers have—and certainly should have—taken care of the vulnerability.
Heartbleed is still a threat, however, and it’s still important to be aware of whether or not your VPN provider is vulnerable to that threat. Researchers have found that the vulnerability is still affecting some people on VPN connections.
How It Works
The researchers referenced above found that the Heartbleed exploit can be used to steal private keys. They also found evidence that at least one hacker had managed to hijack such keys, using the vulnerability to switch the VPN connection between a legitimate server and malicious servers. This would allow the attacker to get session information, of course, which could lead to a breakdown in security.
If You Run Homebrew VPN or a Commercial Service
As was said, most commercial VPN providers have patched this vulnerability. If you’re not sure about yours, you can check their homepage to see whether or not they’ve addressed the issue. You may even get the happy news that the vulnerability never even affected your provider in the first place.
However, if they have not fixed the issue, it’s time to consider how much you trust your VPN provider. Heartbleed is a known security issue and it makes no sense to go with a provider that wouldn’t bother to fix that issue immediately upon it being discovered.
If you have your VPN set up as a roll your own server, you’ll want to patch it immediately to fix this vulnerability. The current version of OpenVPN is patched to eliminate this security hole and you will need to download and install that latest version right away for the best possible security.
There have already been attacks using this vulnerability and, since its discovery and since it started making the news, any hacker worth their computer will know how to find it and how to exploit it. Be sure that your VPN provider has taken care of the issue and, if you run your own server and haven’t patched it, the sooner you take care of the patch the safer you’ll be.