Heartbleed bug and the Archive

Bottom line: The Internet Archive is safe to use.

Internet Archive has always been interested in protecting the privacy of our patrons.  We try not to record IP addresses, and when Edward Snowden showed that traffic going over the open Internet was not safe from government spying we turned on encryption by default on our web services.   Unfortunately, some of the encryption software we use (along with more than half the sites on the internet) was vulnerable due to the “Heartbleed” bug; we have upgraded our software to fix this issue.

A bit more detail:  A common piece of code, OpenSSL, was revealed to have a security bug that allowed anyone on the Internet to probe a vulnerable server and read a set of information that happens to be in RAM in that remote process.   This could be used to read a site’s “private key” which would allow a bad actor that could intercept traffic to impersonate a website via what is called a “man in the middle” attack.   If a site’s past encrypted traffic had been recorded, then it might be possible to go back now with the private key and see what happened in those past web sessions.  If you would like a more thorough explanation of “Heartbleed” you can watch a video overview.

Some of the Internet Archive’s web services did use the vulnerable version of OpenSSL up until yesterday.    At this point the Internet Archive’s services have been upgraded and we will be renewing our private key in case that was compromised.   On some of our services we have used “perfect forward secrecy” so even if our private key had been taken, and someone had recorded past traffic, and if they cared enough to try to then discover what had been read, they would still not be able to get it.   We will be implementing this on all services in the future.   Qualys SSL Labs has a useful report on our site.

Never a dull day!

12 thoughts on “Heartbleed bug and the Archive

  1. Pingback: Estos son algunos de los sitios afectados por “Heartbleed”, la última vulnerabilidad de la red | INCIDE Chile

  2. Mark

    Now that your site is safe from the Heartbleed Bug, how do I go about changing my password to my account here? This is something I’m doing on all the “secure” sites I had accounts with, but I cannot find a way to do it with this site.

    1. Daniel

      On the top menu row, click “Account”, enter your password and click the “Change Account Settings” button. You can change your password there.

      It’s good practice to do this on all sites that have used affected OpenSSL versions – once immediately to prevent direct abuse of a stolen login, and once more as soon as they have replaced their certificates, in case someone got hold of their private keys. Unfortunately, for many sites it can be difficult to find out when that happens, or if they were affected at all, unless they’re communicating as openly as the IA.

  3. SBDW

    Privacy over Internet is very important as our passwords, mailing id’s are more vulnerable to be hacked. It is a good step.

  4. SeanVN

    You must proceed with the assumption that anything you do on the internet is entirely visible to anyone (including you spouse!). To proceed on any other basis is foolhardy. One assumption that many Americans have is that only their country has database records of their activities. Hence all is well. It is more reasonable to presume that extensive database records exist on every individual in a number of different countries.

  5. Mike

    @Katie – Brewster says in the post, “we will be renewing our private key in case that was compromised.” I assume that when the private key is changed, the old certificate won’t work, so they will have to issue a new one. It doesn’t look like they’ve done that yet, though. (?) The main cert for archive.org was issued in February.

    I am concerned about his statement re: perfect forward secrecy. Generally this is enabled on the server in such a way that it will be used if the browser is capable of it. Otherwise, servers are typically set up to allow the communication to proceed without PFS, as opposed to rejecting the browser traffic altogether. It is not entirely correct, then, to assume that enabling PFS on the server guarantees all past traffic is safe from prying eyes.

    I’m having trouble finding a decent list of browser PFS support, but I gather that prior to version 11, Internet Explorer rarely used it.

    1. Mike

      I meant to say “It is not entirely correct, then, to assume that enabling PFS on the server guarantees all traffic thereafter will be safe from prying eyes.” That is, all traffic stored prior to enabling PFS can be decrypted by someone who has the server’s private key, as could any traffic stored after enabling PFS, if the user’s browser didn’t also use PFS.

  6. Jonathan

    It’s now April 21, and the SSL GoDaddy certificate presented by blog.archive.org still predates the disclosure of the Heartbleed vulnerability. (Valid from 2/21/2014 to 2/21/2017) I recognize this is probably not the most crucial on your long punch list of to-do’s, but it is still distressing to see.

  7. Paul Dabuco

    This is really a great news! The Heartbleed tragedy affected mostly ecommerce sites and it’s glad to know that archive.org is not affected. Nice!

Comments are closed.