The Power to Never Be Wrong: Evasions and Anachronistic Attacks Against Web Archives

Abstract

The Web is subject to link rot, where links break as webpages are updated or deleted. Web archiving services, such as the Wayback Machine, have emerged as a key solution to address link rot by archiving web content and preserving the look and feel of websites over time. These services offer critical functionality to users, serving as a historical baseline for an ever-changing Web. Implicit in everyone’s use of these services is that they are capable of providing an accurate record of the past and can, therefore, provide reliable ground truth for comparing the past to the present.

In this paper, we demonstrate that this implicit assumption does not necessarily hold. To this end, we propose two new threat models against web archiving services in which attackers can exert control over how their websites are archived. Evasive adversaries can distinguish crawlers operated by web archiving services from regular users, selectively denying or altering the content delivered to the former. Anachronistic adversaries can not only identify archive crawlers but also deliver content that enables them to retain control over archived snapshots. By abusing fundamental access-control mechanisms of the Web, these attackers can effectively alter the past as recorded by web archiving services. We found that all web archives we investigated suffer from one or more of these issues, challenging our current reliance on them.