All VPN services answered the following questions.
1. What steps has your company taken in response to Heartbleed?
2. In your opinion, what were the risks users faced before these steps were taken?
3. How did you communicate the above to your users?
Our response was as follows:
When the Heartbleed announcement first broke, on the 7th April, we reviewed our servers and customer portal system and found that they did not utilize the affected OpenSSL versions. When OpenVPN released their patch to fix HeartBleed, we immediately implemented this in our own client and released this on the 10th April 2014. Moving forward, our next client release will use OpenVPN 2.3.3 which we hope to release in the coming week.
We are also in the midst of an entire customer portal revamp to improve security and usability which we hope to release in a month or so and are considering a complete reissue of all keys when this is released. The revamp was initiated many months ago and was not as a result of the HeartBleed bug but is in line in our continuing efforts to improve our system’s security.
Our OpenVPN implementation implements tls-auth with Perfect Forward Secrecy (PFS) would protect past communications from retrospective decryption so the risk is mitigated. In this scenario an attacker can not attack OpenVPN instances without the TLS-auth key. Our customer portal processing system never used the affected OpenSSL versions and remained with the older OpenSSL 0.9.8. Users may request for a manual regeneration of their keys if they wish to be overly cautious by opening a ticket with us.
We sent out an email announcement to all users immediately, as well as a Facebook and Blog post on the 8th April 2014 3.22 PM GMT+8. We then pushed an update to our VPN clients on the 10th April with the patched OpenVPN version as well.
It is to be noted that unlike other VPN providers, we regenerate keys everytime you renew so if your private keys were compromised earlier (and you did not request for a regeneration), it would have been resolved with a renewal.