Recently a serious vulnerability in the popular OpenSSL cryptographic software library was disclosed and we'd like to update you on what steps we've taken to ensure your security. In summary, the vulnerability allows an adversary to extract private keys (and session keys) used to encrypt traffic within an OpenVPN connection. This affects not only OpenVPN but many other services such as web, email, instant messaging etc. For more details see the heartbleed website.
Within a few hours of the vulnerability being announced we patched all vulnerable servers and regenerated new 4096 bit certificates across our entire infrastructure. We announced this on twitter at 1:38 PM (CEST) on 8 Apr 2014 - https://twitter.com/ivpnnet/status/453497012647116800 - If you have not yet followed us on Twitter now is a good time to follow @ivpnnet for the latest updates.
What do you need to do?
Whilst our servers are protected there still exists a vulnerability in the OpenVPN client software. Although adversaries are more likely to target a VPN server in an attack we strongly recommend you upgrade your client software to remain secure. OpenVPN technologies have released a new version of the software in the last 24 hours which fixes this vulnerability. If you are using L2TP/IPSec then this issue does not affect you at all. Otherwise if you are using OpenVPN please read the relevant section below:
If you are using the Tunnelblick client you need to update to either v3.3.2 or v3.4 Beta22 depending on whether you are running the stable or beta version. The Beta version is required if you are using the latest version of OSX - 10.9.x Mavericks. If you have automatic updating configured in Tunnelblick you should receive an automatic notice to update on startup. Otherwise, please download and install the latest version from the Tunnelblick downloads page. Instructions for downloading and installing Tunnelblick can be found here.
If you are using the old Windows client (controlled by right clicking the shield icon in the system tray) you should upgrade to the new IVPN client for Windows v1.1. If you are already using the new IVPN client then click on the 'update' link within the client to upgrade to version 1.1 - the update link should automatically appear in 5 minutes after starting the client. Alternatively if you do not wish to install the new IVPN client you can still install the community edition of the OpenVPN client v2.3.3 - You can follow these instructions on our website to install the community client.
OpenVPN on Linux uses the openssl libraries installed on your system. Check your distributions website for information and if necessary update openssl using your package manager. Reboot to ensure the new openssl libraries are loaded.
Thursday, April 10, 2014
Begin forwarded message:
Sunday, April 06, 2014
Saturday, April 05, 2014