Heartbleed issues not yet resolved
1. Heartbleed was an eye opener which helped to make the public more aware of the insecurities that exist in un-audited code. Regardless of being open or closed source, there will always be insecurities in systems. However, the best that companies can do is to strive to achieve 100% security. In our case, when the Heartbleed exploit was announced, we reacted immediately. It was publicly disclosed at or about UTC 19:00:00 on April 7, 2014. We patched our VPN gateways within 4 hours at or about UTC 23:17:15 on April 7, 2014 by upgrading our OpenSSL libraries to version 1.0.1g from 1.0.1f.
Our website was not exploitable given that we use a hardware load balancer that is not using a vulnerable version of OpenSSL.
Immediately after patching our VPN gateways, we then setup a non-production gateway that we attempted to exploit using the Heartbleed exploit POCs (proof of concepts). While it was recently announced that OpenVPN is exploitable, it is our best belief that our private keys were never leaked given that we have systems in place that make the exploitation of our servers very unlikely.
That being said, within 24 hours we are rolling out updates to our clients as well, even though it is highly unlikely that our keys were ever leaked.
2. The likeliness of our gateways being exploited prior to us rolling out these patches are extremely low. However, as stated earlier, at Private Internet Access, we strive to achieve 100% security, so we went through the motions as it is our policy to do so in best practice.
3. We waited to announce anything to our users until we were 100% certain of everything we were stating. That said, we posted on our blog after we performed our patches.
Additionally, we will be sending out a mass e-mail within 24 hours to our clients as certain users (DD-WRT, stock OpenVPN, etc.) will need to manually apply updates in order to connect to our service.