We’d like to give some more insight into how we dealt with the Heartbleed security bug that affected most of the Internet last week.
The key points are:
- For any of our systems using OpenSSL, we patched those servers on the same day as when the issue was announced.
- Confirmation that our webservers are patched: http://filippo.io/Heartbleed/#expressvpn.biz
- As a pre-caution, we re-keyed server certificates and briefly disconnected all connected users to apply the patch on affected systems
- Our OpenVPN servers use tls-auth, which helps prevent man-in-the-middle attacks and mitigated some of the Heartbleed risks even before the patch.
Here is a more detailed technical explanation of Heartbleed that also shows how difficult it was to exploit Heartbleed to steal private keys.
In summary, we reacted quickly to protect our customers and ensure our systems are not susceptible to Heartbleed attacks.