To be clear, we have no indication that the bug was exploited on PeerJ, but there are a few things you should know and possibly do:
A new vulnerability ‘Heartbleed’ (officially CVE-2014-0160) in OpenSSL was announced on April 7, 2014. This makes OpenSSL at risk for being compromised, which is a major concern as it is the cryptography library that powers a majority of Internet tools and websites that we all use, including PeerJ. Other well-known sites affected (or still affected) include: Netflix, Yahoo, and even the FBI’s website, and possibly some banking sites. i.e. this is a serious and widespread bug.
As soon as we heard of the bug we took steps to mitigate and eliminate any risk.
- We started using the patched OpenSSL on our load balancers and other servers that could be at risk as soon as it was made available to us.
- We re-keyed our SSL certificate (that’s what makes the URL bar turn green in some browsers), deployed it, and revoked the old SSL certificate.
- We cleared all active user sessions, which forced users to logout. This was to clear any session data or cookies that could be intercepted prior to the SSL patch and used by a malicious attacker.
Additionally, several months ago we activated what is known as ‘Perfect Forward Secrecy.’ This adds an additional layer of security for browsers that support it.
And, unlike any other journal (to our knowledge) we continue to encrypt every page, search or article that you visit on PeerJ, so that your privacy is ensured. Check for that green bar in your browser’s URL address form to know that you’re actually on the real PeerJ and protected. [The one exception is this blog, which is unencrypted].
As a user, what should you be doing?
While we have no evidence that this bug was utilized by anyone to eavesdrop on PeerJ, as a precaution we recommend that all users change their password. The nature of the bug means that an attacker could listen in on traffic without detection. In the coming days you will also see a large majority of websites and services across the Internet urging you to do the same as this is a bug that affects a majority of Internet traffic.