Let’s start with the good news: you are still safe. The latest Heartbleed situation — which is a software bug, not a virus — has not endangered the privacy and security of our customers’ communications.
Although this was a serious global problem with severe impact on a large number of servers, websites, and web services (this cartoon explains it pretty well), our customers’ communications remained safe. While our servers do use OpenSSL, they were safeguarded for the following reasons:
- Our VPN servers have multiple layers of encryption technology.
- We store no sensitive customer data on our web servers.
- Our customers’ credit card information is stored on a site belonging to our credit card processor, which did not utilize the exposed version of OpenSSL and therefore had no risk.
- Our iOS customers were not exposed since we use L2TP over IPSEC and not OpenSSL.
Still, given the bug, we immediately updated our VPN server environment and web server environment and reissued our website specific certificates. Here is the bottom line: There is no need for our customers to change passwords, as is recommended on sites that had greater vulnerability to this bug.
A Serious Security Threat
Heartbleed is a bug in software called OpenSSL, which has been used in many popular web sites, and has affected Facebook, Instagram, Tumblr, Yahoo!, Gmail, Netflix, and many more popular sites.
The bug could expose your private passwords to hackers, which is why these sites now recommend that you change your password. Further, as the Huffington Post pointed out, Heartbleed even affected the routers, firewalls, and switches from Cisco and others which could expose your communications via a “Man-in-the-Middle” attack.
This is why Bruce Schneier, one of the most respected security analysts, says Heartbleed is a catastrophic bug in OpenSSL. Schneier claims “catastrophic” is the right word to use because “on the scale of 1 to 10, this is an 11.”
An Added Layer of Security
Fortunately, however, PRIVATE WiFi implemented an extra piece of security in our VPN servers, called Perfect Forward Secrecy – PFS. Even if a hacker eventually got the private key and had recorded your traffic, the hacker would not be able decrypt it, because of PFS.
The Heartbleed bug made a lot of theoretical threats, possible. However, PRIVATE WiFi has taken every step to make sure your data is still as secure as ever. With encryption, there is an automatic idea of absolute privacy and integrity; but this is false. Heartbleed did test the limitations of encryption but our goal is and remains to provide encryption with both privacy and integrity.
In our view, Heartbleed just reinforces what we have been saying for a long time: you are responsible to protect the privacy and security of your communications. And the only way to do so effectively is to use a Virtual Private Network (VPN) such as PRIVATE WiFi.