Avatar of admin

by

The NSA's Heartbleed Problem Is the Problem with the NSA

April 12, 2014 in Economics

By Julian Sanchez

Julian Sanchez

The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA’s two fundamental missions — one defensive, one offensive — are fundamentally incompatible, and that they can’t both be handled credibly by the same government agency.

In case you’ve spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol — successor to the earlier Secure Sockets Layer (SSL) — that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information — including not only user passwords, but the master encryption keys used to secure all the site’s traffic and verify that you’re actually connected to MyBank.com rather than an impostor.

The NSA’s two fundamental missions — one defensive, one offensive — are fundamentally incompatible.”

It’s exactly the kind of bug you’d expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an “aggressive, multi-pronged effort to break widely used Internet encryption technologies”. In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced — a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet’s security.

On Friday, Bloomberg News reported that Heartbleed had indeed been added to NSA’s arsenal almost immediately after the bug appeared, citing two anonymous sources “familiar with the matter”. Within hours, the intelligence community’s issued an unusually straightforward denial, free from the weasely language intelligence officials sometimes employ to almost-but-not-quite deny allegations. As the statement pointed out, the federal government itself “relies on OpenSSL to protect the privacy of …read more

Source: OP-EDS

Leave a reply

You must be logged in to post a comment.