On April 7th 2014, security researchers discovered a serious vulnerability (CVE-2014-0160) in OpenSSL, a very popular cryptographic library used by many websites, including Clear Books. This library ensures secure communication between server and client but also confirms the identity of the server.
Although we have no indication that the attack has been used against Clear Books we are proceeding with a high level of caution because the nature of the vulnerability makes it very difficult to detect attacks.
What is Clear Books doing about this?
- As soon as the vulnerability details were posted yesterday morning, we immediately patched all our servers to the latest OpenSSL version which is immune from such attacks.
- New SSL keys were recreated and redeployed, in addition to resetting our internal credentials. On top of that, all of our old certificates have also been revoked; just to be on the safe side.
- As a precaution we forced all users to be logged out in case any sessions were compromised before we had patched our servers.
What can you do about this?
As stated before, we have no indication that Clear Books was a target of such an attack, but customers wishing to be extra cautious may re-set their password and should ensure they use a unique hard-to-guess password. We recommend doing this for all sites you use, not just Clear Books.
Update 10/04/2014 – 10:10 – As of 11:50PM last night all sessions have been invalidated and you will need to login to your Clear Books account. As mentioned yesterday, this is a precautionary measure.