Internet Archive News

updates about archive.org

Heartbleed bug and the Archive

Bottom line: The Internet Archive is safe to use.

Internet Archive has always been interested in protecting the privacy of our patrons.  We try not to record IP addresses, and when Edward Snowden showed that traffic going over the open Internet was not safe from government spying we turned on encryption by default on our web services.   Unfortunately, some of the encryption software we use (along with more than half the sites on the internet) was vulnerable due to the “Heartbleed” bug; we have upgraded our software to fix this issue.

A bit more detail:  A common piece of code, OpenSSL, was revealed to have a security bug that allowed anyone on the Internet to probe a vulnerable server and read a set of information that happens to be in RAM in that remote process.   This could be used to read a site’s “private key” which would allow a bad actor that could intercept traffic to impersonate a website via what is called a “man in the middle” attack.   If a site’s past encrypted traffic had been recorded, then it might be possible to go back now with the private key and see what happened in those past web sessions.  If you would like a more thorough explanation of “Heartbleed” you can watch a video overview.

Some of the Internet Archive’s web services did use the vulnerable version of OpenSSL up until yesterday.    At this point the Internet Archive’s services have been upgraded and we will be renewing our private key in case that was compromised.   On some of our services we have used “perfect forward secrecy” so even if our private key had been taken, and someone had recorded past traffic, and if they cared enough to try to then discover what had been read, they would still not be able to get it.   We will be implementing this on all services in the future.

Never a dull day!

Originally posted on The Internet Archive Blog by brewster.
Advertisements

Written by internetarchive

April 9, 2014 at 11:06 pm

Posted in News

%d bloggers like this: