On 4/7/2014 we received an SMS alert about the OpenSSL 1.0.1a vulnerability and promptly began an audit to identify vulnerable systems and take any necessary corrective actions. The effect of the Heartbleed bug on LiquidVPN’s systems were very minimal because of several design elements in our infrastructure. Nevertheless to minimize any potential damage before writing this we felt that a complete audit and peer review was necessary. The original ticket from 4/7/2014 can be found here. Here are the highlights
- Some of our OpenVPN servers used 1.0.1f which was a vulnerable OpenSSL version. On 4/7/2014 at 3:00 EDT we began patching all of our affected VPN servers. At 9:00 EDT the last OpenVPN server was patched. If you were on a vulnerable OpenVPN server you are not in jeopardy of having your OpenVPN data channel compromised because LiquidVPN uses ephemeral session keys and perfect forward secrecy. There is a chance that VPN username and passwords could be compromised but this would only allow a 3rd party to use one of your VPN sessions. We do highly recommend users change their username and password from the client area.
- Our web server used a vulnerable OpenSSL version and was upgraded at 9:00 EDT. This poses minimal risk to anyone unless they are manually forcing their browsers to not support Perfect Forward Secrecy or are using Yandexbot 3, IE 6, IE 8.
Other actions taken by LiquidVPN.
- On 4/7/2014 from 3:00 EDT to 9:00 EDT we replaced any vulnerable OpenSSL version with non vulnerable versions and reset any open sessions.
- On 4/7/2014 we setup two test nodes and began testing the latest OpenVPN server images and concluded that it would be best to reboot the servers instead of just resetting the services.
- Starting at Midnight on 4/8/2014 we began reboot all of our OpenVPN servers.
- On 4/8/2014 we began the process to reissue our SSL certification for the web server. It was finalized at 1:00 AM EDT on 4/9/2014
- We changed all of the administrator passwords.
- On 4/8/2014 new configurations were pushed out to the Liquid Viscosity users.
- On 4/8/2014 new configurations were uploaded for standard OpenVPN users. We have been waiting for a chance to consolidate our CA keys and have taken this opportunity to do so. If you are on OpenVPN you are urged to download the latest configuration files to protect against a possible MitM attack (very unlikely) if you are using PFSense/DDWRT/Tomato and your connection stopped working then you must download the new configuration files.
Actions you should take.
- Change your VPN username and password so that a hacker can not use your account for free.
- Update your OpenVPN configuration files and at the very least delete the old stacked ca.crt and use the new one included in our configuration files.
- Start using a modern browser that support Perfect Forward Secrecy
- Change your passwords on any important websites.
Actions LiquidVPN plans on taking.
- Liquid Viscosity users will be promoted to update their clients. We suggest you do the update as soon as you are notified to patch the vulnerable version of OpenSSL on your client.
- Our scheduled upgrade to standardize TLS-Auth across all of our servers was put on hold. It will now move forward. TLS-Auth makes any MitM attack impossible unless the attacker has your TLS-Auth key. Currently users share a TLS-Auth key which does not protect attacks coming from other LiquidVPN users. We will not finish the TLS-Auth standardization until we have a way to provide more protections with the TLS-Auth keys.
- We will send mail to all users asking them to reset their passwords (or usernames and passwords)