Frequently Asked Questions About the 2014-04-08 Vulnerability
On This Page
What is the vulnerability?
Some versions of Tunnelblick include a version of the OpenSSL library that is vulnerable to the "heartbleed attack".
For details on the vulnerability itself, see heartbleed.com.
For details on how the vulnerability affects OpenVPN (which Tunnelblick uses to create VPNs), see Heartbleed - OpenVPN.
How can I protect my computer from this vulnerability?
Update to the latest version of Tunnelblick (either the latest stable version or the latest beta version).
Can Tunnelblick Updates Be Compromised by This Vulnerability?
No. This vulnerability may be able to compromise the security of https:, allowing "Man in the middle" attacks. However, there is an additional protection built into the Tunnelblick update process: updates are signed with a digital signature. When you update Tunnelblick, the program checks the digital signature.
How can I update to the latest version of Tunnelblick?
You will need your computer's administrator password to update Tunnelblick.
Note: Users of a Deployed version of Tunnelblick must obtain a new version of Tunnelblick from the person or organization that distributed Deployed. See How can I know if I am using a Deployed version.
How to use Tunnelblick's built-in update function
How to install the latest version of Tunnelblick
What versions of Tunnelblick are vulnerable?
The following versions are vulnerable:
Note: All versions before 3.3 have other security vulnerabilities.
Only Tunnelblick stable version 3.3.2 and beta version 3.4beta22 have no known vulnerabilities.
What version of Tunnelblick do I have?
If there is no version information, it is Tunnelblick version 3.0b9 or earlier.
Am I Using a Deployed Version?
Note: If you try to install Tunnelblick 3.2beta22 or higher on a computer that has a Deployed version of Tunnelblick, an error message will be displayed and the installation will not be performed.
If a "Deploy" folder exists in "Resources", you are using a "Deployed" version of Tunnelblick.
Are there any exploits?
Unknown as of the date of this posting (2014-04-08).
Do I need to be running Tunnelblick to be vulnerable?