The Heartbleed bug absolutely put the internet security world in its ear. To quote internet security expert Bruce Schneier on the Heartbleed bug:
‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
That’s right, the Heartbleed bug went Spinal Tap. Is that too dated a reference?
The Heartbleed bug was able to exploit a vulnerability in OpenSSL software. This allowed hackers to see and steal up to 64k of memory from vulnerable servers that were using OpenSSL. The information was primarily concerned with SSL private keys, passwords, user keys and logins. But to put it simply, pretty much anything that could be stored on the server was vulnerable.
What to do about the Heartbleed bug
First, test to see if your website was vulnerable to the Heartbleed bug in the first place. If it was, update your SSL certificate, there is now a patch for the Heartbleed bug. Once you have done this you can change every single password that could have been stolen.
Debate on what you should do is varied, and sometimes…passionate. You can’t go wrong with an updated SSL certificate, and a password change. You may want to change your passwords a second time once your new SSL certificate arrives, just to be on the ultra-cautious side.
How our Top 3 VPNs were affected by or responded to the Heartbleed Bug
Our Top 3
Hide My Ass’ users are safe due to separate subdomain
Speaking on their forum in response to Heartbleed related post, Hide My Ass responded by saying:
Heartbleed only affected www.hidemyass.com because of the anti-DDOS provider we use and the vulnerability was not on our server itself. As you may be aware, users interact with our service via a separate server on subdomain
vpn .hidemyass.com which was unaffected.Therefore, HMA! Pro
VPN users have not had their user credentials exposed by Heartbleed. Nonetheless, it is currently advisable to change all passwords used on the internet, particularly for highly sensitive services, such as email and banking. We are issuing a full statement later today and have already been working to issue clarifications to the media – e.g. http://gizmodo.com/h…e-is-1560812671
Even though you’re safe, it is still a good idea to change your passwords!
IPVanish was not affected by Heartbleed bug
Users of IPVanish have nothing to worry about. They didn’t support the particular extension of OpenSSL that was vulnerable (TLS extension 15). Everything is fine with them. Here is their statement from their blog:
A review of the Heartbleed OpenSSL vulnerability, we’ve determined that our SSL implementation was never vulnerable. From the get go, we have been using versions of OpenSSL that were unaffected (OpenSSL versions 1.0.0j, 1.0.0e and 0.9.8). We haven’t supported the TLS extension 15, the Heartbeat extension vulnerable to the attack, and we invite you to use public tools such as http://possible.lv/tools/hb/ or http://filippo.io/Heartbleed/ to test any of our servers to verify.
While never vulnerable, we have found that our website supports an older version of SSL, SSL V2, that we are disabling as a precaution. Additionally, while our servers and software never used the TLS extension 15, we are working to update to the latest version of the OpenVPN patch for additional peace of mind.
Private Internet Access take precautionary measures
Private Internet Access (PIA) stated numerous times that their website wasn’t vulnerable. This was due to their hardware load balancers not running the vulnerable OpenSSL extension (TLS extension 15, again). As a precautionary measure, they still went ahead and changed their certificates.
As for their
All of our
VPN gateways were patched within 4 hours (UTC 23:17:15 on Apr 7 2014) of the public disclosure of Heartbleed (UTC 19:00:00 on Apr 7 2014). We moved from OpenSSL 1.0.1f to the non-exploitable version 1.0.1g. In terms of our keys, the original researcher who discovered Heartbleed, Neel Mehta, says that private keys are safe, and we agree with his conclusion.
Conclusion about the Heartbleed bug and VPN services
The top 3
Photo credit to Open Access BPO.