TorGuard VPN Audit Results: HeartBleed SSL Bug
After TorGuard’s engineering team carefully reviewed our network, software and website infrastructure, we would like to publicly update our clients on the results of these findings. While the threats posed by the OpenSSL 1.0.1a HeartBleed vulnerability are wide reaching and potentially very serious, our team can confidently say this development will have no impact on the security of TorGuard or its services. This post may be updated in the coming days as we continue to analyze and conduct our own private testing across our network.
What is the HeartBleed Bug? The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
TorGuard responded immediately to these findings by conducting a system wide audit of all servers. Please review the latest audit findings below:
TorGuard.net Website Infrastructure:
The TorGuard.net front end website, member’s area, and back end administration systems are not affected by this vulnerability. Clients can rest assured that no possible exploit of this nature could have taken place on TorGuard.net’s website during the prior months while this bug was in the wild. Even so, all administration passwords are cycled on a regular basis and we encourage clients to do the same as a precautionary measure. It is also important to make sure that your email provider, IM software, or any other secure login platform used is up to date on this issue.
The TorGuard.tg server and client email systems are also not affected by this vulnerability and were not vulnerable in the months prior.
TorGuard OpenVPN Software
TorGuard lite (OpenVPN) – TG’s popular “lite” OpenVPN app for Windows, Mac and Linux is not affected by this bug as it uses a previous version of OpenSSL (0.9.8) which does not have heartbeat enabled. We are also releasing a new version in the coming days with a newly patched OpenSSL library just as a formality.
TorGuard Pro (Viscosity) – TorGuard has already pushed a software update for both Mac and Windows users that will update the VPN client to our latest patched version. Users will be prompted by the software to update to this latest version, just select the “update now” button that pops up when starting the VPN software. Customers can also now download the patched updated for Pro (Viscosity) software directly for Windows here and Mac here. Those who still remain using older version will be promoted daily to upgrade.
TorGuard Android App – The TorGuard android app uses OpenSSL version 1.0.0e which is NOT affected by this bug. No update of TorGuard’s Android VPN client is needed.
OpenVPN GUI – If you are using a stand along version of OpenVPN GUI please take action and to update your client to the latest version of OpenVPN (2.3.3) which has just been released here.
TunnelBlick GUI – If you are a MAC user running TunnelBlick, please update to the latest version here.
TorGuard VPN Server Network
After an extensive and complete audit of our entire VPN server network, we would like to report that only 5% of our server clusters in each data center were found to be using the compromised version of OpenSSL. These recently patched locations were strictly limited to our USA, Swedish, French, Icelandic, UK and Netherlands data centers. All locations were immediately upgraded to a non vulnerable version of OpenSSL. New server configurations for these locations have automatically been pushed to all TorGuard software (lite, Pro, Android), however if you are using a stand-alone OpenVPN GUI software client please be sure to download our latest config files here. If you are using TorGuard’s PFsense, iOS, or DDWRT scripts it is important for you to visit the downloads page and pickup the latest updated version to prevent connection errors. Clients who are using TorGuard’s branded VPN software client are encouraged to completely restart the app to download the very latest server configs.
Serious vulnerabilities such as this serve as a constant reminder that we must be forever vigilant in preserving the integrity of security services. TorGuard’s staff is relentlessly committed to preserving these values and will continue to deliver professional privacy solutions for our clients far into the future.