Earlier this week a new bug that affected OpenSSL called the Heartbleed bug was discovered and patched. The reason why this is such a major development in the VPN industry is because OpenVPN itself makes use of the OpenVPN SSL encryption library throughout and as such is a critical component to the working of the protocol. It may not be clear to the average user but why this has caused such panic amongst the VPN community is due to the fact that the bug itself allows encrypted internet services such as VPNs to disclose the information contained within, basically in a nutshell it could possibly lead to your private actions being able to be discovered to the right person.
It has come to light that the bug itself has been around in previous versions of OpenSSL and publicly since March 2012. It is not known if the bug has previously been exploited by criminal or hacker types but the possibility has been there. One silver lining to the whole fiasco is it is now in the public domain and although not an ideal situation it is far superior to a situation where the bug could of gone undiscovered for many more years to the public but would of been possible to have been exploited by both criminals and government types without notice.
How this situation effects the VPN industry is an interesting question and one which has been discussed widely on social networking sites such as Reddit. We all have our favourite VPN providers for different reasons and the community is very protective over their own choice of provider. For those who only make use of VPN providers to access geo-restricted content the fall out of this situation is non important. For those who use a VPN to protect their privacy and security it is a critical situation that needs careful consideration over whether the provider that you have chosen really lives up to its sales pitch in that it will do everything to secure your privacy.
Luckily most of the major VPN providers including a whole range of those who are listed on our site reacted within a few hours of the announcement leading to a range of solutions from patching their servers to updating their custom software. One critical area from a user perspective is to ensure that you download any updated custom software or openvpn configuration files/keys that your provider suggests. If you haven’t already it would be wise to check your providers websites or blogs to ensure that you have the latest version of their software or configurations files. For users who make use of multiple providers using OpenVPN directly a new version has been released and should be your priority to be updated before continuing use.
So how has this discovery damaged the image of VPN providers?
User perspective will dictate greatly on how you personally feel this has damaged your opinion of your VPN provider or the industry as a whole. I personally feel it does not directly damage VPNs themselves but brings to the forefront that a VPN provider can only be as good as the systems to which they rely on. Very few systems are built from the ground up to provide such a service and this is true in most industries be it computer related or real world, even when custom systems exist they often rely heavily on components from other arenas or third party add-ons. The major factor involved here is no matter how good a provider themselves is or how well they have secured the set up, everything comes down to the same point which is the weakest link in the chain is always going to be the one that allows the holes to be poked through.
So while the VPN industry itself can not be blamed it does call in to question about how secure the systems are when third party bugs such as these exist and without the knowledge of the providers. Luckily from a VPN provider point of view this issue has now been mainly resolved and we can take comfort from the fact that the majority of providers took this situation extremely seriously and reacted swiftly and accordingly with what was required. So while it may seem appropriate to point the finger at someone for this issue it is reassuring that most VPN providers that we entrust our privacy to have taken the professional approach to treat the situation with the respect and urgency that was necessary.
The only question left as a user is if your provider hasn’t made any comment regarding the situation either via news, blog or social media then it may be time to start questioning if they have your best interests at heart.