9 April 2014 NEWS
A serious vulnerability in the popular OpenSSL cryptographic software library was disclosed 30 hours ago. In short it allows (among other things) anyone on the Internet to extract the private keys used for encrypting traffic and identifying service providers to their users. A more complete description can be read on heartbleed.com. This affects a lot of different services including web, email, instant messaging and OpenVPN (which Mullvad uses).
As of a few hours ago all our servers have been patched and are no longer vulnerable. We are also releasing a new Mullvad client for all supported operating systems (OSX, Windows, Linux) and an updated configuration package if you use OpenVPN without the Mullvad client.
On the server side OpenSSL has been upgraded, and since we could not rule out a leak of one or all of our servers' private keys we have revoked all of them and generated new ones. The new client includes a Certificate Revocation List with all revoked certificates and a patched version of OpenSSL (for Windows and OSX users). Our Linux client doesn't bundle OpenSSL and relies on the user's Linux distribution.
To protect yourself against a so called man-in-the-middle attack when connecting to Mullvad you should upgrade to the new client immediately. If you use OpenVPN without using our client you should download a new configuration package from our website.