NordVPN Reacts to the Recent OpenSSL Vulnerability
OpenSSL Foundation warned their users on Thursday to update their SSL to fix a bug that allows any network eavesdropper stripping away its encryption. The patch to fix this bug was issued by the non-profit foundation and advised to upgrade immediately.
NordVPN took a step and upgraded the OpenSSL libraries of its web and VPN servers from 1.0.1e-2+deb7u7 to 1.0.1e-2+deb7u10 on 6 June 2014, 08:00 (GMT). This update removed the threat of the bug called CVE-2014-0224. Unlike after Heartbleed bug fix, this time users will not need to download new server configuration files – the server keys stay the same.
More about the CVE-2014-0224 bug
The flaw was discovered by Masashi Kikuchi who explained that the new attack takes advantage of a part of OpenSSL’s ‘handshake’ that establishes encrypted connections also known as ChangeCipherSpec which allows the attacker to cuase the computer and server performing the handshake part to use weak keys in that way allowing a Man-In-The-Middle snitch to decipher and read the traffic.
The attacker that exploits this newly discovered flaw must be located somewhere between two computers that communicate. But it still leaves the possibility for anyone including NSA to strip away the encryption of your Internet connection before it is even initialized.
NordVPN takes your privacy and security very seriously and is ready to take quick action to guarantee the best possible protection.