Heartbleed Bug

As many are aware, the Heartbleed bug, which affects several releases of the OpenSSL library, was recently announced publicly. Heartbleed is a serious bug in a major pillar of the internet that assures encrypted connections between computers.  Since the service we provide relies on encryption and the OpenSSL libraries, we want to explain the potential impact of this bug on our services.

Our Website

We feel reasonably confident our website was not affected by Heartbleed because we were not running a version of OpenSSL that was vulnerable to the bug - we were on an older version released prior to when the bug was introduced.  For this reason, we believe our website should not be vulnerable to the Heartbleed bug, so your personal confidential information should be unaffected.  In addition, we utilize the CloudFlare service for our website. As you may know, CloudFlare had advanced knowledge of the issue and patched their service (and by extension, their customer's service) before the public announcement of the Heartbleed bug. Since the bug became public, we have updated our website to the patched OpenSSL library and restarted those services as a prudent measure. We are working with our SSL certificate signer to determine if we should re-issue our website SSL cert.

Our VPN Network / Gateway Servers

Our network admin team assessed our individual gateways and updated OpenSSL libraries and OpenVPN server software to the patch version on the gateways that required it within just a few hours of the public Heartbleed announcement. We feel the short time period between the public release of the bug and the time we updated the gateways makes it unlikely a private key would have been revealed. We did monitor CloudFlare's public test to determine how long it might take someone to reveal a private key. The private key that Heartbleed could potentially expose is only used to verify to the client software that the server it is connected to is legitimately ours.  After the initial handshake, our client switches to another encryption technology to secure the channel, so communications sent over the VPN connection would not have been affected.  To be prudent we are replacing the keys the gateways use in the initial handshake connection. The new keys require that we issue a new version of our OctaneVPN client and also require updates to any .ovpn files you downloaded from our site.

What You Need To Do:

1) If you would like to update your password, feel free to do so by logging in at our website and choosing the Update Password link in the center of the Member's area. Note: we use two sets of passwords: One for PPTP and IPSec protocols (upper portion of the password reset page) and another for our website and OpenVPN connections (lower portion of the password reset page). You can update either or both.

2) If your devices use PPTP or IPSec connections, no action or update is necessary.

3) If you use an OpenVPN client such as a) our OctaneVPN client b) the public OpenVPN project c) a third party implmentation of OpenVPN where you downloaded a .ovpn file from us, the update steps are below.

OctaneVPN Client

We have released a new version of the OctaneVPN client for both Windows and Mac (v0.1.304) that will use new keys for the initial handshake connection and is also compiled with the latest (post Heartbleed) OpenVPN binaries and openssl libraries. We also included some other improvements that will lay the ground work for future options to scramble headers and allow users selectable encryption levels. Download and install the new version of OctaneVPN client here.

OpenVPN Project

If you use a public version of the OpenVPN software for your connection and you downloaded a .ovpn file from us, you will need update to a new .ovpn file which references the new certificate. We are also issuing a new file with it: crl.pem which should be installed in a new directory below OpenVPN /config/ directory. Typically, for Windows this would be /program files/openvpn/config/certs/crl.pem if you installed OpenVPN in the default location. The crl.pem file is a certificate revocation list which is referenced in the new .ovpn file. It tells your client not to use the old cert it used before. If you unzip the download into your /program files/openvpn/config/ directory, the /certs/ directory and crl.pem should be created during the unzip. Obtain the new .ovpn and .pem files here. If you want to connect to another gateway location, edit the .ovpn file in a text editor and change to one of our other gateway names among those listed here.

Other OpenVPN Connections - Android / iOS / Linux / Various Routers and NAS Devices

Similarly to the OpenVPN Project, if you use another implementation of OpenVPN software and you obtained a .ovpn file from us, you should replace it with this one here. This .ovpn file does not include a reference to the crl.pem described above. Since the variety of OpenVPN implementations is wide, we are not sure which ones support using a certificate revocation list (crl.pem), so we are only including the .ovpn file. As above, if you wish to connect to a location other than the default location, just edit the file in a text editor replacing the gateway name with your preferred gateway among those listed here. Some OpenVPN clients may support the crl.pem file referenced above, and if they do you can use the .ovpn + .pem files listed above.