Heartbleed: Post Mortem

6:00:00 PM
Heartbleed: Post Mortem -

Private Internet access, we consider the privacy of our customers and safety to be our highest priority. This is our business. This is our expertise. We wanted to take a brief pause in our research and development designed to discuss some of the decisions we have made to prepare for attacks like heartbleed and how we reacted to heartbleed after public disclosure .

our website
As we have said above on our forums and social networks, our site was not and continues not to be vulnerable to heartbleed bug. This is the case because our load balancers material are not running the implementation vulnerable OpenSSL. However, even before we went and removed, re-keying and turned our certificates as a precaution.

Our VPN servers
All our VPN gateways were patched within 4 hours (UTC 11:17:15 p.m. April 7, 2014) the public disclosure of heartbleed (UTC 19 00: 00 April 7, 2014). We went from OpenSSL 1.0.1f non-workable version 1.0.1g. In terms of our key, the original researcher who discovered heartbleed, Neel Mehta, says that private keys are safe, and we agree with its conclusion.

In addition, the buttons are used for the key exchange DHE / ECDHE, meaning possession of the certificate does not expose the actual keys used to encrypt your data. What this means is that the assumption that someone has a 0 days feat of any kind that compromises our certificates, they would still not be able to decrypt and read the data on your network.

It is also interesting to note that after the heartbleed disclosure, a number of POC (proof of concept) were made available to the public. These scripts attacked TLS running over HTTP (HTTPS) and does not work with custom protocol OpenVPN on which it runs TLS, which is much more complex than TCP TLS HTTPS race as fact. As far as we know, there were no exploits in the wild for the implementation of TLS custom protocol OpenVPN, especially not in the window announcing the achievement of the correction by our team.

Our VPN clients
Our customers do not require updates, because the application of preventive measures to protect against connection to a malicious server. Moreover, assuming that for a different reason from a VPN client can connect to a malicious VPN server that the VPN client is vulnerable to heartbleed not harmful in any additional way. Since all modern operating systems we support our customers benefit from a memory protection prevents a process from reading memory from a different process, the malicious server would be able to read data belonging to the OpenVPN client, that is, data that the client already sent to the server

to be clear, even if for some reason your opponent could get your private Internet service powers connection, they would still not be able to decrypt your data transfer.

Peace of Mind
Please be assured that we are constantly in search of security to ensure the highest levels of privacy of our users . Although no site / single service can guarantee 100% safety, we assure you that we are second to none in its efforts to achieve those levels. However, if we are not perfect, we have many safeguards in place. Finally, if you are a security researcher and believe you have found an exploit, please participate in access to private Internet WASP.

We will continue to monitor heartbleed for all new revelations and update if necessary.

Previous
Next Post »
0 Komentar