Guardian: The NSA’s Heartbleed problem is the problem with the NSA

Were you surprised to discover that the NSA knew about the Heartbleed bug two years ago and kept it secret? Here's why you shouldn't be. Article by Julian Sanchez for The Guardian The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA's two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.

Were you surprised to discover that the NSA knew about the Heartbleed bug two years ago and kept it secret? Here's why you shouldn't be.

Article by Julian Sanchez for The Guardian

The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA's two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.

In case you've spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol – successor to the earlier Secure Sockets Layer (SSL) – that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information– including not only user passwords, but the master encryption keys used to secure all the site's traffic and verify that you're actually connected to MyBank.com rather than an impostor.

- Read more at The Guardian