We are proud to announce that our entire VPN network as well as our main infrastructures (web, database, redundancy and replicated clusters) have all been patched to OpenSSL 1.0.1g over the past 24 hours. Our patching process started
few minutes after 0day news came out yesterday in an effort to fix up the
Heartbleed Bug. Fortunately, most of our servers were using a non-vulnerable version but we upgraded to latest nonetheless so as to enjoy consequences of other bugfixes.
Your security has always been our number one preoccupation, as our ethics and our history have shown.
Our engineering unit
is currently patching has also patched the rest of our services (e.g. TOR, Cryptocat, etc.). The team is also investigating about the impact on OpenVPN certificates and whether a regeneration of them is required (as well as to enforce a new set of credentials for all accounts).
So far our findings have shown that there were no reasons beyond reasonable doubt to implement any of these measures. We will of course keep you posted as soon as we find the slightest element that could lead to compromising your privacy and wisely lead us to adopt further changes to our system. Our team has also processed to SSL regeneration and will soon push absolute new sets of public certificates while at the same time take the opportunity to update our encryption levels to even further standards as we always wanted to (but kept postponing as it required a full reboot of the network).
P.S. We couldn't but recommend that you change your account and VPN passwords if you want to close any loophole that may not be covered by current expertise of both Proxy.sh team and the public community.
P.P.S. As always, if you are using Safejumper, please make sure to always keep it updated so that it uses the latest OpenSSL version. Reinstalling OpenVPN or Safejumper using the installer is highly recommended, as it will update your OpenSSL libraries if you are using a non-NIX environment.