Linked by Thom Holwerda on Fri 11th Apr 2014 20:21 UTC
Privacy, Security, Encryption

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

Permalink for comment 587021
To read all comments associated with this story, please click here.
RE[2]: I don't think so...
by umccullough on Sun 13th Apr 2014 17:06 UTC in reply to "RE: I don't think so..."
umccullough
Member since:
2006-01-26

it would be pointless and frankly waste more time than is required.


You may be unfamiliar with how SSL works.

Assuming the NSA is logging all encrypted traffic (which they claim they do - and are storing indefinitely), then they could potentially go back and decrypt the traffic after the fact if they are able to obtain the server's private key (which Heartbleed was proven to reveal in some circumstances).

This encrypted data would otherwise be hidden from their view, no matter how many taps they have on the trunks.

There are some mitigation mechanisms that help prevent such retrospective decryption, such as Forward Secrecy - but not all servers enable this feature by default, and not all browsers support it.

Reply Parent Score: 6