{"id":5351,"date":"2014-04-17T11:43:43","date_gmt":"2014-04-17T15:43:43","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5351"},"modified":"2014-04-17T11:43:43","modified_gmt":"2014-04-17T15:43:43","slug":"vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/04\/17\/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug\/","title":{"rendered":"VPN provider proves OpenVPN private keys at risk from Heartbleed bug"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2144962\/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html\"><img data-recalc-dims=\"1\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/04\/heartbleed-bug-100260024-large.png\" alt='' \/><\/a><\/p>\n<p>The fallout from the OpenSSL Heartbleed bug continues. Recently, personal virtual private network provider Mullvad said it was able to extract private encryption keys for OpenVPN from a test server.<\/p>\n<p>The group behind OpenVPN had previously warned that OpenVPN could be vulnerable to attack since the open source VPN software uses OpenSSL by default. But Sweden-based Mullvad&#8217;s tests appear to be the first proof-of-concept proving that extracting private keys is actually possible, as first reported by ArsTechnica.<\/p>\n<p>&#8220;We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed Bug,&#8221; Mullvad co-founder Fredrik Str\u00f6mberg wrote on Hacker News. &#8220;The material we found was sufficient for us to recreate the private key and impersonate the server.&#8221;<\/p>\n<p>Vulnerability to Heartbleed is particularly damaging for users since VPNs are meant as an extra step to make sure your online communications are kept private. If attackers are able to extract the private keys and then impersonate the VPN server, it puts users&#8217; encrypted communications at risk.<\/p>\n<p>As with all Heartbleed vulnerabilities, however, extracting information from a VPN server would take time and effort. Mullvad didn&#8217;t say exactly how much data it had to gather to recreate the private keys in its tests, but it did have to gather a lot.<\/p>\n<p>&#8220;Trying to get key material is like trying to win the lottery, we only need one response that contains key material,&#8221; Str\u00f6mberg told PCWorld. &#8220;Just like the other Heartbleed exploits we did a lot of requests, to get a lot of data. I left my program running overnight, and in the morning I had what I wanted.&#8221;<\/p>\n<p>But with Heartbleed leaking random data 64KB at a time wouldn&#8217;t so many hits on a server set off alarm bells for most IT admins? Not necessarily. &#8220;Admins won&#8217;t notice it without the help of more advanced tools,&#8221; Str\u00f6mberg said. &#8220;We&#8217;re not generating a lot of traffic with the attack, and even on a low traffic VPN server you could get the key if you have patience.&#8221;<\/p>\n<p>Regardless of whether it&#8217;s detectable or not, Mullvad&#8217;s tests show the threat to providers using OpenVPN is real.<\/p>\n<p>&#8220;Our exploit is decently weaponized&#8230;we believe it may severely impact those who have not already upgraded,&#8221; Str\u00f6mberg said in his Hacker News post. &#8220;You should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN.&#8221;<\/p>\n<p>Healing Heartbleed<\/p>\n<p>For anyone who relies on a personal VPN service using OpenVPN, Str\u00f6mberg says it&#8217;s wise to ask your provider if they have added a patch against Heartbleed into their desktop client.<\/p>\n<p>If your provider uses client certificates, ask them for new ones. You should also change your username and password as a precaution once your provider&#8217;s servers are patched against Heartbleed. You should also ask if they&#8217;ve revoked their old server certificates and issued new ones.<\/p>\n<p>Finally, you&#8217;ll need a certificate revocation list that your OpenVPN client can use. &#8220;It doesn&#8217;t matter that they revoked the certificates,&#8221; Str\u00f6mberg said. &#8220;[Without a revocation list] your OpenVPN client won&#8217;t know about it, and you are still vulnerable to a man-in-the-middle attack.&#8221;<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2144962\/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html\">VPN provider proves OpenVPN private keys at risk from Heartbleed bug | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The fallout from the OpenSSL Heartbleed bug continues. Recently, personal virtual private network provider Mullvad said it was able to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,10],"tags":[475,775],"class_list":["post-5351","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-heartbleed","tag-openvpn"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1oj","jetpack-related-posts":[{"id":5681,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/03\/meet-cupid-the-heartbleed-attack-that-spawns-evil-wi-fi-networks\/","url_meta":{"origin":5351,"position":0},"title":"Meet \u201cCupid,\u201d the Heartbleed attack that spawns \u201cevil\u201d Wi-Fi networks","author":"NCCT","date":"June 3, 2014","format":false,"excerpt":"Enlarge \/ A packet capture showing Cupid attacking a wireless network. SysValue \u00a0 \u00a0 It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=525%2C300 1.5x"},"classes":[]},{"id":8278,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/05\/13\/venom-vulnerability-more-dangerous-than-heartbleed-targets-most-virtual-machines\/","url_meta":{"origin":5351,"position":1},"title":"Venom vulnerability more dangerous than Heartbleed, targets most virtual machines","author":"NCCT","date":"May 13, 2015","format":false,"excerpt":"Researchers have uncovered a new bug that\u2019s much more dangerous than last year\u2019s Heartbleed vulnerability. Venom, short for Virtualized Environment Neglected Operations Manipulation, could allow an attacker to infiltrate a datacenter and take over its entire network. As ZDNet notes, most datacenters use virtual machines to segregate customers, allowing the\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.techspot.com\/images2\/news\/bigimage\/2015-05-13-image-3.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.techspot.com\/images2\/news\/bigimage\/2015-05-13-image-3.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.techspot.com\/images2\/news\/bigimage\/2015-05-13-image-3.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":5958,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/10\/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users\/","url_meta":{"origin":5351,"position":2},"title":"Crypto certificates impersonating Google and Yahoo pose threat to Windows users","author":"NCCT","date":"July 10, 2014","format":false,"excerpt":"People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties. A blog post published Tuesday by Google security engineer Adam Langley said\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6634,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/15\/google-discovers-vulnerability-in-ssl-3-0-dubbed-poodle\/","url_meta":{"origin":5351,"position":3},"title":"Google discovers vulnerability in SSL 3.0 dubbed &#8216;Poodle&#8217;","author":"NCCT","date":"October 15, 2014","format":false,"excerpt":"Google has published details of a vulnerability in the design of SSL version 3.0. The attack, referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), allows the plaintext of secure connections to be calculated by a network attacker according to a Google blog post on the matter. Despite the\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5889,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/02\/exclusive-a-review-of-the-blackphone-the-android-for-the-paranoid\/","url_meta":{"origin":5351,"position":4},"title":"Exclusive: A review of the Blackphone, the Android for the paranoid","author":"NCCT","date":"July 2, 2014","format":false,"excerpt":"Based on some recent experience, I'm of the opinion that smartphones are about as private as a gas station bathroom. They're full of leaks, prone to surveillance, and what security they do have comes from using really awkward keys. While there are tools available to help improve the security and\u2026","rel":"","context":"In &quot;Hardware&quot;","block_context":{"text":"Hardware","link":"https:\/\/nccomputertech.com\/techtalk\/category\/hardware\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/blackphone11-640x426.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/blackphone11-640x426.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/blackphone11-640x426.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":8004,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/10\/latest-version-of-os-x-closes-backdoor-like-bug-that-gives-attackers-root\/","url_meta":{"origin":5351,"position":5},"title":"Latest version of OS X closes Backdoor-like bug that gives attackers root","author":"NCCT","date":"April 10, 2015","format":false,"excerpt":"For at least four years, a bug in Apple's OS X gave untrusted users\u2014and possibly remote hackers with only limited control of their target\u2014unfettered \"root\" privileges over Macs. The vulnerability is being called a \"hidden backdoor\" by Emil Kvarnhammar, the security researcher who discovered the bug and privately reported it\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/backdoor-640x425.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/backdoor-640x425.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/backdoor-640x425.png?resize=525%2C300 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5351"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5351\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}