On June 5 another vulnerability in OpenSSL, ChangeCipherSpec (CCS) Injection Vulnerability, was announced. Released as CVE-2014-0224, the advisory warns that nearly all versions of OpenSSL are vulnerable to man-in-the-middle (MITM) attacks.
After learning about the CVE-2014-0224 vulnerability, the Wealthfront team immediately deployed an updated OpenSSL library on all customer-facing servers.
Further Resources for ChangeCipherSpec Help
We recommend auditing all OpenSSL systems and upgrading all systems using OpenSSL library versions. Here are some resources we found useful in our response to this disclosure:
- CVE-2014-0224 Advisory
- New York Times Article
- CCS Injection Vulnerability Q&A
- How CCS Injection Vulnerability Was Discovered
As always, if you have any questions about the security of your Wealthfront account, contact us at firstname.lastname@example.org. We will continue to monitor this issue as the community and vendors investigate this vulnerability further.