OpenSSL Releases Security Advisory for FREAK - It has been upgraded from low to high. Check your VPN

Some clarifications about FREAK:

Because FREAK relies on a MITM scenario, HMAC firewall (tls-auth) only protects you if your tls-auth key is secret and unique to you, rather than shared accross all users. Almost all VPN providers that use tls-auth use a shared key accross all users and therefore do not mitigate the FREAK attack.

"Allow cipher negotiation" is an ambiguous term. There are two different ciphers in OpenVPN. There is the OpenVPN cipher which is set with the 'cipher' option in the config file. This is the cipher that our application lets you change. This cipher is completely unrelated to FREAK.

There is also the TLS cipher, or more correctly ciphersuite. The TLS ciphersuite is automatically negotiated by OpenSSL. There is an option in OpenVPN (tls-cipher) to limit the TLS ciphersuites that the client or server are allowed to select from. This is usually never set because it doesn't need to be (OpenSSL choses the strongest cipher that both the client and server support) except in rare cases like the FREAK attack, see below.

That said, there are two ways for OpenVPN providers to protect against the FREAK attack:

1) Upgrade the OpenSSL version of the client to a non affected version.

2) Disable TLS EXPORT ciphersuites on the server side (using tls-cipher). This is the path that we took back when the FREAK attack was discovered. This prevents any OpenVPN client from connecting with a TLS EXPORT ciphersuite which is what the FREAK attack requires. We preferred this solution because it requires no work for our users and we can be 100% sure that our users are protected rather than only the ones that took the time to upgrade.

If a VPN provider goes with option #1 but not #2 then you will still be able to connect with a TLS EXPORT ciphersuite which means their users are only protected if they have upgraded to the latest OpenSSL.

To reiterate, being able to change encryption level (cipher/auth) client-side has nothing to do with FREAK.

/r/VPN Thread