Heartbleed Bug Update # 2 [April, 11th 2014]
All server side upgrade activities have been done. PureVPN will keep you posted with further updates.
Heartbleed Bug Update # 1 [April, 11th 2014]
This is a short update that Client Side patches and upgrades have been posted in the Client Area. However the Server Side configurations are being upgraded. If things went as planned we expect the upgrades to complete within 3 hours.
We'll keep you posted with further updates.
Heartbleed Bug – PureVPN is Secured
On 8th April 2014, serious vulnerability was discovered in OpenSSL 1.0.1. Termed ‘Heartbleed’, this vulnerability affects the cryptographic library of the OpenSSL platform. As OpenSSL is widely used across 70% of the internet, majority of websites, emails, IM services and more are vulnerable to data thefts of its users. This data theft can come in the form of stolen passwords, usernames, financial information, personal emails, private messages and more. Needless to say, it has quickly become a worldwide scare. If you’d like to read further about this menace, please visit: BBC Technology News.
Despite all the brouhaha, if you’re with PureVPN, you got nothing to worry about!
How Secure is PureVPN?
As soon as the vulnerability was discovered, we started a thorough audit of our Infrastructure to identify potential vulnerability points so we can take rapid corrective measures.
After a complete audit, we’re happy to report that the following areas of our website remained absolutely immune to the Heartbleed vulnerability:
- Authentication Backend
- Reseller Network & Reporting
- Business Intelligence
- PPTP Network
- L2TP Network
- SSTP Network
- IKEv2 Network
Areas with Potential Vulnerability:
While most important areas of the PureVPN infrastructure remained secure, there were a few areas identified by our security team for potential vulnerability. These were:
- PureVPN Website Infrastructure
- OpenVPN Network
The PureVPN website infrastructure was vulnerable to the Heartbleed. However, the network security team at PureVPN detected no sign of damage and took rapid measures to secure all its websites, such as:
- The main PureVPN website (www.purevpn.com)
- Exclusive website for Chinese users (www.purevpn.org)
- The PureVPN billing portal (billing.www.purevpn.com)
The web servers hosting the PureVPN website and billing portal were patched as soon as the upstream OS vendors released the required fixes.
These fixes can be verified here:
The PureVPN OpenVPN network was also thoroughly analyzed and no impact was detected by our engineers. Nonetheless, we have also completed the patch work on all our OpenVPN servers. Plus, we have also planned to upgrade our configurations as a precautionary measure.
Schedule for Patch and Update Release:
Since the change will impact our OpenVPN users we are allowing time for everyone to hear the word and have planned to release security patches, version upgrades and server side upgrades at 15:00 Hours Hong Kong time (7:00 AM UTC | GMT +8) on 11th April 2014.
The server side update activity will start at 15:00 Hours Hong Kong time (07:00 UTC | GMT+8) and is expected to complete at 00:00 Hours Hong Kong time (16:00 UTC | GMT+8). During these 9 hours of update activity, we will be replacing the server-side configurations of each country, individually.
While we will be working on the server side, we will be needing your help in successfully bleeding the **** out of Heartbleed. We request all our OpenVPN users to install the relevant security patch or upgrade for their devices, as soon as they are released at 15:00 Hours Hong Kong time (7 A.M. UTC | GMT +8).
If you do not update your device during the schedule (between 15:00 Hours and 00:00 Hours Hong Kong Time | 7 A.M. – 4 P.M. UTC | GMT +8 – 11th April 2014), then you would not be able to connect using our OpenVPN network.
The update process would not take much of your time, but go a long way in ensuring your security. The update instructions for various operating systems are as follows:
Windows OpenVPN Users:
No need to re-install your OpenVPN Windows installation. A patch will be released for our Windows OpenVPN users. The patch will be downloadable from within the PureVPN client area. Just download and install it to kiss goodbye to Heartbleed.
Mac OpenVPN Users:
A new Tunnelblick package with updated configuration files will be released at the specified time (15:00 Hours Hong Kong Time | 7 A.M. UTC | GMT +8 – 11th April 2014). Our Mac users are requested to delete their existing installation and re-install the software. The new installation will be provided in the ‘Tutorials Section’ as well as in the Client Area.
Linux OpenVPN users:
As Linux users are also techies, at least most of the time, we require them to manually replace their current configuration files and install a new set of configuration files. These files will be accessible in the ‘Tutorials Section’ and from with in the Client Area.
Android App Users:
The update for our Android app configuration files will also be available from 15:00 Hours Hong Kong Time | 7 A.M. UTC | GMT +8, on 11th April 2014. The updated configuration files will be pushed automatically to all Android users. We request our Android app users to restart their application once and it will automatically fetch the updated files. Simple, right?
iPhone/iPad OpenVPN Users:
Most of you iPhone and iPad users do not need to take any action because our iOS app supports PPTP and L2TP protocols, which have remained safe from the entire ordeal. Even if you manually configured PPTP or L2TP on your iPhone/iPad, you don’t need to take any action. It is only if you have manually configured OpenVPN on your iPhone/iPad that you need to download new configuration profiles. These profiles are provided within the Client Area. Just download these updated files and replace existing ones – and you’re done!
DD-WRT and Sabai Router OpenVPN Users:
If you have configured OpenVPN on your router or have purchased Sabai Routers with pre-configured PureVPN OpenVPN protocol, then you need to replace your existing configuration files. We request our DD-WRT OpenVPN and Sabai Router OpenVPN users to download new profiles available in the Client area and replace the existing configuration files.
PureVPN & its customers remained SECURED from Heartbleed bug. While our network security team is working round-the-clock to further strengthen the security of the PureVPN network, we recommend all our users to update both their ‘Client Area’ passwords and their VPN passwords.
Let’s join hands to dish out a powerful counterattack to the menace of Heartbleed!