{"id":5351,"date":"2014-04-17T11:43:43","date_gmt":"2014-04-17T15:43:43","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5351"},"modified":"2014-04-17T11:43:43","modified_gmt":"2014-04-17T15:43:43","slug":"vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/04\/17\/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug\/","title":{"rendered":"VPN provider proves OpenVPN private keys at risk from Heartbleed bug"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2144962\/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html\"><img data-recalc-dims=\"1\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/04\/heartbleed-bug-100260024-large.png\" alt='' \/><\/a><\/p>\n<p>The fallout from the OpenSSL Heartbleed bug continues. Recently, personal virtual private network provider Mullvad said it was able to extract private encryption keys for OpenVPN from a test server.<\/p>\n<p>The group behind OpenVPN had previously warned that OpenVPN could be vulnerable to attack since the open source VPN software uses OpenSSL by default. But Sweden-based Mullvad&#8217;s tests appear to be the first proof-of-concept proving that extracting private keys is actually possible, as first reported by ArsTechnica.<\/p>\n<p>&#8220;We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed Bug,&#8221; Mullvad co-founder Fredrik Str\u00f6mberg wrote on Hacker News. &#8220;The material we found was sufficient for us to recreate the private key and impersonate the server.&#8221;<\/p>\n<p>Vulnerability to Heartbleed is particularly damaging for users since VPNs are meant as an extra step to make sure your online communications are kept private. If attackers are able to extract the private keys and then impersonate the VPN server, it puts users&#8217; encrypted communications at risk.<\/p>\n<p>As with all Heartbleed vulnerabilities, however, extracting information from a VPN server would take time and effort. Mullvad didn&#8217;t say exactly how much data it had to gather to recreate the private keys in its tests, but it did have to gather a lot.<\/p>\n<p>&#8220;Trying to get key material is like trying to win the lottery, we only need one response that contains key material,&#8221; Str\u00f6mberg told PCWorld. &#8220;Just like the other Heartbleed exploits we did a lot of requests, to get a lot of data. I left my program running overnight, and in the morning I had what I wanted.&#8221;<\/p>\n<p>But with Heartbleed leaking random data 64KB at a time wouldn&#8217;t so many hits on a server set off alarm bells for most IT admins? Not necessarily. &#8220;Admins won&#8217;t notice it without the help of more advanced tools,&#8221; Str\u00f6mberg said. &#8220;We&#8217;re not generating a lot of traffic with the attack, and even on a low traffic VPN server you could get the key if you have patience.&#8221;<\/p>\n<p>Regardless of whether it&#8217;s detectable or not, Mullvad&#8217;s tests show the threat to providers using OpenVPN is real.<\/p>\n<p>&#8220;Our exploit is decently weaponized&#8230;we believe it may severely impact those who have not already upgraded,&#8221; Str\u00f6mberg said in his Hacker News post. &#8220;You should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN.&#8221;<\/p>\n<p>Healing Heartbleed<\/p>\n<p>For anyone who relies on a personal VPN service using OpenVPN, Str\u00f6mberg says it&#8217;s wise to ask your provider if they have added a patch against Heartbleed into their desktop client.<\/p>\n<p>If your provider uses client certificates, ask them for new ones. You should also change your username and password as a precaution once your provider&#8217;s servers are patched against Heartbleed. You should also ask if they&#8217;ve revoked their old server certificates and issued new ones.<\/p>\n<p>Finally, you&#8217;ll need a certificate revocation list that your OpenVPN client can use. &#8220;It doesn&#8217;t matter that they revoked the certificates,&#8221; Str\u00f6mberg said. &#8220;[Without a revocation list] your OpenVPN client won&#8217;t know about it, and you are still vulnerable to a man-in-the-middle attack.&#8221;<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2144962\/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html\">VPN provider proves OpenVPN private keys at risk from Heartbleed bug | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The fallout from the OpenSSL Heartbleed bug continues. Recently, personal virtual private network provider Mullvad said it was able to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,10],"tags":[475,775],"class_list":["post-5351","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-heartbleed","tag-openvpn"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1oj","jetpack-related-posts":[{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":5351,"position":0},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9452,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/19\/internal-bug-discovery-security-now-693\/","url_meta":{"origin":5351,"position":1},"title":"Internal Bug Discovery &#8211; Security Now 693","author":"NCCT","date":"November 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ClVI9PMQGCY Australia vs Encryption, Google+ Bugs Hasten its Demise -- Australia's recently passed anti-encryption legislation -- Details of a couple more mega-breaches including a bit of Marriott follow-up -- A welcome call for legislation from Microsoft -- A new twist on online advertising click fraud -- The DHS is interested\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ClVI9PMQGCY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9526,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/03\/03\/outrage-moms-this-week-in-tech-708\/","url_meta":{"origin":5351,"position":2},"title":"Outrage Moms &#8211; This Week in Tech 708","author":"NCCT","date":"March 3, 2019","format":false,"excerpt":"https:\/\/youtu.be\/rzRHMGNsnyI The end of smart-phones, AI fake people, Elon in the ditch again, and more. -- MWC 2019 and the Future of Smartphones and Wearables -- This Person Does Not Exist -- OpenAI and the Text Generator Too Dangerous to Exist -- Outrage Mobs and Twitter -- China's Social Credit\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/rzRHMGNsnyI\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9305,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/02\/26\/this-week-in-tech-655-banana-is-phone\/","url_meta":{"origin":5351,"position":3},"title":"This Week in Tech 655: Banana Is Phone","author":"NCCT","date":"February 26, 2018","format":false,"excerpt":"https:\/\/youtu.be\/3Ndfvf28O5o Samsung announces 2 new phones as Mobile World Congress kicks off in Barcelona. iCloud keys are stored in China. All 150 new emojis for 2018 revealed. Nokia's newest phone is a nod to The Matrix. GDPR and H.R. 1865 and their implications. Intel knew about flaws in chips but\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/3Ndfvf28O5o\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9528,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/03\/10\/third-party-dog-hats-this-week-in-tech-709\/","url_meta":{"origin":5351,"position":4},"title":"Third-Party Dog Hats &#8211; This Week in Tech 709","author":"NCCT","date":"March 10, 2019","format":false,"excerpt":"https:\/\/youtu.be\/-nUG1REHhwU Location Tracking, Facebook Privacy, Breaking Up Big Tech, and More! -- Foursquare Location Tracking Leaps Past the Creepy Line -- Will Zuck Make Facebook Private? -- Thousands of New Millionaires are Coming to San Francisco -- Apple has Big Plans for Self-Driving Cars -- Elizabeth Warren Wants to Break\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/-nUG1REHhwU\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9343,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/27\/this-week-in-tech-668-how-many-cups-in-a-stone\/","url_meta":{"origin":5351,"position":5},"title":"This Week in Tech 668: How Many Cups in a Stone?","author":"NCCT","date":"May 27, 2018","format":false,"excerpt":"https:\/\/youtu.be\/i1oqaFyVcQ0 --The FBI wants you to reboot your router right now. FBI agents have gained control of a huge Russian botnet. If your router is affected you just need to reboot it. --Facebook and Russian ads - how should government react in the age of cyber warfare? --Amazon sells facial\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/i1oqaFyVcQ0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5351"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5351\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}