Earlier this week, security researchers announced a security flaw in OpenSSL, a popular cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

Steps that we are taking:

  • Most of our servers were not affected by Heartbleed bug including our website. Few VPN servers that were vulnerable were patched within few hours of the public disclosure of the bug.
  • As a security measure we will be replacing our public and private encryption keys. With a large user base changing keys can be very challenging. We will be updating the keys in batches to minimize disruption.

Steps that you have to take:

  1. To be on the safer side, we strongly recommend that you change your account passwords.
  2. When we replace our public and private encrption keys you will temporarily lose access to our servers. Reinstalling OpenVPN or updating config files will restore your access.
  3. Update OpenVPN software
    • Microsoft Windows: OpenVPN client v2.2.2 we provide is not vulnerable. However, versions 2.3 through 2.3.2 available on OpenVPN site ship a vulnerable version. If you are running an affected version, please overwrite your OpenVPN installation..
    • Mac: Tunnelblick has been updated to fix the vulnerability. The new client can be downloaded here
    • Linux/BSD: You need to update your version of OpenSSL to current, as it is installed separately as a dependency.
    • Routers: Please contact your router manufacturer or firmware vendor.
    • Mobile clients like on iPad, iPhone and Android devices, are not affected as they use PolarSSL instead.

What is Heartbleed bug
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.