SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
The NSA's Heartbleed Problem is the Problem with the NSA
What the agency's denial isn't telling you: it didn't even need know about the bug to vacuum your privacy and store it indefinitely
Apr 13, 2014
The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA's two fundamental missions - one defensive, one offensive - are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.
In case you've spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol - successor to the earlier Secore Sockets Layer (SSL) - that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information - including not only user passwords, but the master encryption keys used to secure all the site's traffic and verify that you're actually connected to MyBank.com rather than an impostor.
It's exactly the kind of bug you'd expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an "aggressive, multi-pronged effort to break widely used Internet encryption technologies". In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced - a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet's security.
Read the rest of this article at The Guardian...
An Urgent Message From Our Co-Founder
Dear Common Dreams reader, It’s been nearly 30 years since I co-founded Common Dreams with my late wife, Lina Newhouser. We had the radical notion that journalism should serve the public good, not corporate profits. It was clear to us from the outset what it would take to build such a project. No paid advertisements. No corporate sponsors. No millionaire publisher telling us what to think or do. Many people said we wouldn't last a year, but we proved those doubters wrong. Together with a tremendous team of journalists and dedicated staff, we built an independent media outlet free from the constraints of profits and corporate control. Our mission has always been simple: To inform. To inspire. To ignite change for the common good. Building Common Dreams was not easy. Our survival was never guaranteed. When you take on the most powerful forces—Wall Street greed, fossil fuel industry destruction, Big Tech lobbyists, and uber-rich oligarchs who have spent billions upon billions rigging the economy and democracy in their favor—the only bulwark you have is supporters who believe in your work. But here’s the urgent message from me today. It's never been this bad out there. And it's never been this hard to keep us going. At the very moment Common Dreams is most needed, the threats we face are intensifying. We need your support now more than ever. We don't accept corporate advertising and never will. We don't have a paywall because we don't think people should be blocked from critical news based on their ability to pay. Everything we do is funded by the donations of readers like you. When everyone does the little they can afford, we are strong. But if that support retreats or dries up, so do we. Will you donate now to make sure Common Dreams not only survives but thrives? —Craig Brown, Co-founder |
© 2023 The Guardian
Julian Sanchez
Julian Sanchez is a research fellow at the Cato Institute. He is the former Washington editor for the technology news site Ars Technica and a founding editor of the blog Just Security. You can follow him on Twitter at @normative.
The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA's two fundamental missions - one defensive, one offensive - are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.
In case you've spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol - successor to the earlier Secore Sockets Layer (SSL) - that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information - including not only user passwords, but the master encryption keys used to secure all the site's traffic and verify that you're actually connected to MyBank.com rather than an impostor.
It's exactly the kind of bug you'd expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an "aggressive, multi-pronged effort to break widely used Internet encryption technologies". In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced - a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet's security.
Read the rest of this article at The Guardian...
Julian Sanchez
Julian Sanchez is a research fellow at the Cato Institute. He is the former Washington editor for the technology news site Ars Technica and a founding editor of the blog Just Security. You can follow him on Twitter at @normative.
The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA's two fundamental missions - one defensive, one offensive - are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.
In case you've spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol - successor to the earlier Secore Sockets Layer (SSL) - that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information - including not only user passwords, but the master encryption keys used to secure all the site's traffic and verify that you're actually connected to MyBank.com rather than an impostor.
It's exactly the kind of bug you'd expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an "aggressive, multi-pronged effort to break widely used Internet encryption technologies". In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced - a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet's security.
Read the rest of this article at The Guardian...
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.