April 9, 2014
On April 8, the US Computer Emergency Readiness Team (US-CERT) announced a serious vulnerability in OpenSSL, a cryptographic software library that underlies much of the encryption used to secure the Internet.
The vulnerability allows attackers to
-
read usernames, passwords, and other sensitive information stored in server memory; and
-
obtain the key required to decrypt secure communication to and from the server, and impersonate the server itself.
In short,
-
HathiTrust production infrastructure WAS NOT vulnerable.
-
HathiTrust development infrastructure (including development and beta sites) WAS vulnerable, was updated the morning of April 8 as soon as fixes were made available, and is NO LONGER vulnerable.
The scope of vulnerability in HathiTrust was therefore limited, and was specifically as follows:
-
Because HathiTrust uses Shibboleth authentication and does not handle usernames or passwords directly - even on development and beta sites - there is no risk of HathiTrust having exposed that information. HOWEVER, login pages at partner campuses may have been vulnerable, and that information may have been exposed via those pages. Please monitor the communication from your campus IT provider for recommendations. In addition, some privileged HathiTrust users such as CRMS reviewers and proxies for users who have print disabilities will be contacted and given further precautionary recommendations.
-
Theoretically, a coordinated and targeted attack leveraging the vulnerability of the development infrastructure AND the server or network infrastructure at HathiTrust or a partner campus could have revealed encrypted communications of authenticated HathiTrust users. We have NO reason to think this type of attack occurred. Even if it had, the data potentially observed is not particularly sensitive; it would consist essentially of a single user identity (essentially, the name and email address) with no access credentials, and, for a very limited user base, individual page images of copyrighted volumes.
As a precaution, staff have reissued all encryption keys and have requested revocation of the previous keys to prevent their use, and this concludes our work to address this vulnerability.
Additional details about the vulnerability itself:
- The vulnerability is referred to as “The Heartbleed Bug” because it allows an attacker to exploit the “heartbeat” functionality - normally used to maintain a secure open connection between a client and an email or web server, avoiding the sluggish reconnection and renegotiation of the secure session - to “bleed” sensitive data stored on the server.
- HathiTrust production services use hardware acceleration that does not implement the heartbeat functionality, and therefore were not vulnerable.
See US-CERT TA14-098A and heartbleed.com for additional information.