Home » Blog » The Heartbleed Bug and our Top 3 VPNs

The Heartbleed Bug and our Top 3 VPNs

  • News
  • 4 min read

The Heartbleed bug absolutely put the internet security world in its ear. To quote internet security expert Bruce Schneier on the Heartbleed bug:

‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

That’s right, the Heartbleed bug went Spinal Tap. Is that too dated a reference?

The Heartbleed bug was able to exploit a vulnerability in OpenSSL software. This allowed hackers to see and steal up to 64k of memory from vulnerable servers that were using OpenSSL. The information was primarily concerned with SSL private keys, passwords, user keys and logins. But to put it simply, pretty much anything that could be stored on the server was vulnerable.

What to do about the Heartbleed bug

First, test to see if your website was vulnerable to the Heartbleed bug in the first place. If it was, update your SSL certificate, there is now a patch for the Heartbleed bug. Once you have done this you can change every single password that could have been stolen.

Debate on what you should do is varied, and sometimes…passionate. You can’t go wrong with an updated SSL certificate, and a password change. You may want to change your passwords a second time once your new SSL certificate arrives, just to be on the ultra-cautious side.

How our Top 3 VPNs were affected by or responded to the Heartbleed Bug

Our Top 3 VPN providers all have websites which are hosted on servers with the same potential vulnerabilities to the Heartbleed bug as any other website. Being leaders in the online security industry, they were quick to discuss their situation, and reassure users that they were secure against the Heartbleed bug.

Hide My Ass’ users are safe due to separate subdomain

Speaking on their forum in response to Heartbleed related post, Hide My Ass responded by saying:

Heartbleed only affected www.hidemyass.com because of the anti-DDOS provider we use and the vulnerability was not on our server itself. As you may be aware, users interact with our service via a separate server on subdomain vpn.hidemyass.com which was unaffected.

Therefore, HMA! Pro VPN users have not had their user credentials exposed by Heartbleed. Nonetheless, it is currently advisable to change all passwords used on the internet, particularly for highly sensitive services, such as email and banking. We are issuing a full statement later today and have already been working to issue clarifications to the media – e.g. http://gizmodo.com/h…e-is-1560812671

Even though you’re safe, it is still a good idea to change your passwords!

IPVanish was not affected by Heartbleed bug

Users of IPVanish have nothing to worry about. They didn’t support the particular extension of OpenSSL that was vulnerable (TLS extension 15). Everything is fine with them. Here is their statement from their blog:

A review of the Heartbleed OpenSSL vulnerability, we’ve determined that our SSL implementation was never vulnerable. From the get go, we have been using versions of OpenSSL that were unaffected (OpenSSL versions 1.0.0j, 1.0.0e and 0.9.8).  We haven’t supported the TLS extension 15, the Heartbeat extension vulnerable to the attack, and we invite you to use public tools such as http://possible.lv/tools/hb/ or http://filippo.io/Heartbleed/ to test any of our servers to verify.

While never vulnerable, we have found that our website supports an older version of SSL, SSL V2, that we are disabling as a precaution. Additionally, while our servers and software never used the TLS extension 15, we are working to update to the latest version of the OpenVPN patch for additional peace of mind.

Private Internet Access take precautionary measures

Private Internet Access (PIA) stated numerous times that their website wasn’t vulnerable. This was due to their hardware load balancers not running the vulnerable OpenSSL extension (TLS extension 15, again). As a precautionary measure, they still went ahead and changed their certificates.

As for their VPN servers, they had this to say on their blog post about Heartbleed:

All of our VPN gateways were patched within 4 hours (UTC 23:17:15 on Apr 7 2014) of the public disclosure of Heartbleed (UTC 19:00:00 on Apr 7 2014). We moved from OpenSSL 1.0.1f to the non-exploitable version 1.0.1g. In terms of our keys, the original researcher who discovered Heartbleed, Neel Mehta, says that private keys are safe, and we agree with his conclusion.

Conclusion about the Heartbleed bug and VPN services

The top 3 VPN clients in our ranking are there for a reason. As you read above, they were prepared for an attack like this, and they protected you throughout the entire Heartbleed bug ordeal. Your data was safe, you were safe, and they still had the foresight to take precautionary measures and advise you to do the same by changing your passwords.

Photo credit to Open Access BPO.