The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA's two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.
In case you've spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol – successor to the earlier Secore Sockets Layer (SSL) – that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information – including not only user passwords, but the master encryption keys used to secure all the site's traffic and verify that you're actually connected to MyBank.com rather than an impostor.
It's exactly the kind of bug you'd expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an "aggressive, multi-pronged effort to break widely used Internet encryption technologies". In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced – a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet's security.
Read the rest of this article at The Guardian...