omni catcher look, caught vikingvpn attacking pia on reddit about heartbleed in 2014
http://www.reddit.com/r/VPN/comments/22jzu1/so_is_pia_safe_from_the_heartbleed_bug/
YouknowimthemanVikingVPN Admin 2 points3 points4 points (13 children)
i am the OP of this thread. DO not remove it
No.
Their custom OpenVPN client for Windows will need to be updated to close the security hole, as it contains a vulnerable version of OpenSSL.
The open-source version of the client has been updated to version 2.3.2 I004 to close the vulnerability..
realrasenganPIA employee 11 points12 points13 points (10 children)
No.
Dear /u/Youknowimtheman,
Please stop spreading FUD. While you are right that our custom client uses an unpatched version of OpenSSL, this is not an issue at all. The only way this can actually be exploited is if, for some reason, a user decides to reverse engineer our client in order to connect to a malicious server other than our own. All of our servers themselves have been patched. As a competing provider within our industry, you should be more careful with the defamatory comments you make. PIA is safe from the heartbleed bug.
Thanks,
rasengan..
Comments
Someone asked a question about the client. I answered the question about the client (correctly). They posted clarification about how the impact of the vulnerability affects their systems.
It was (wrongly) asserted that our website certs needed to be updated.
PIA has not been very transparent about what they are doing. If the only thing they did was update OpenSSL and fix the website CA, the VPN servers that were vulnerable for two years are still running the same keys and certs, which means the claim that they are safe from Heartbeat is patently false. .