It may be a good time for the super-security conscious to stop using the internet for a few days (sitting in woods with a tin hat on is optional).
Researchers today announced the discovery of the ‘Heartbleed Bug’, so named because it affects OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This is a vulnerability that allows attackers to compromise users’ cryptographic SSL keys, which could then be used to access secured messages, credit card information, documents ect. – basically anything protected by the OpenSSL certificates.
An attacker such as the NSA who has been blanket-collecting encrypted data could use this ‘bug’ to decrypt all data stored from a service in one go, and even more worryingly, an attack leaves no trace in servers’ logs, so there is no way for a system administrator to know if the servers have been compromised.
OpenSSL is by far the most commonly used cryptographic library on the internet, so this is a major problem that already has security professionals everywhere scrambling to update their certificates. It only affects OpenSSL 1.01 and 1.0.1 (beta), and is a result of how OpenSSL has been implemented, rather than a problem with the inherent design of OpenSSL. It particularly affects websites that are powered by the Apache web server, but as this is over 50 percent of all websites on the internet, this is of little comfort.
Systems using older versions of SSL are immune to the weakness, and the use of ephemeral keys (Perfect Forward Secrecy) goes a long way towards mitigating the problem.
Fortunately, this afternoon an emergency patch was released, along with a Security Advisory note.
How this affects VPN users
Any VPN provider who uses Nginx or Apache for their website, and any current version of Linux/BSD (almost all providers), are vulnerable, although as noted, the use of ephemeral keys will harden them against attacks). This means that their CA certificates may have been exposed, which could allow an attacker to impersonate the web server, or they could have their keys exposed, which could allow decryption of secure data exchanges on the website.
As a customer there is not much you can do except ask your VPN provider what they are doing about the problem, as this is server-side issue. Because there is no way to determine if their servers have been comprised, affected VPN providers (a large number of them) should all be rushing to patch their OpenSSL
They should hopefully then notify users that they need to download the updated CA certificates or, in the case of custom VPN clients, these should be updated automatically. We urge all readers to contact your providers to find out what action they are taking.
It should also be noted that Tor is affected by the bug too, and it recommends,
‘If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle’…