The US National Security Agency (NSA) has denied claims that it knew about the Heartbleed vulnerability in OpenSSL before it was made public, claiming that it is biased towards seeing such flaws fixed for the greater good than keeping its knowledge a secret to further its intelligence gathering programmes.
The NSA has been in the limelight of late thanks to revelations by former contractor turned whistleblower Edward Snowden, the source of evidence showing the NSA has been overreaching its charter with massive surveillance programmes against both US and foreign nationals. Documents leaked by Snowden included claims that the NSA works closely with major companies to gain back-door access to code and data, and even works to weaken commercial security products by recommending known-weak ciphers and random number generators.
When news of the Heartbleed vulnerability in popular cryptography library OpenSSL broke last week
, many wondered if the NSA was aware of the flaw. Present in the OpenSSL codebase since 2011 and in the wild since 2012, the Heartbleed vulnerability has been proven to leak private keys - allowing the decryption of encrypted traffic, something the NSA captures and stores for several years as part of its intelligence activities.
Many in the industry had wondered why the NSA captured and stored encrypted traffic with no known way to decrypt it, but the Heartbleed bug means that the NSA - or any other attacker - could easily retrieve the private keys required to unlock the encrypted traffic. Suddenly, the NSA's trove of scrambled data made a lot of sense - leading many to claim on sites like Bloomberg
that the NSA knew of Heartbleed and had been exploiting the vulnerability for years.
The NSA has, naturally, denied this. 'Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,
' the Office of the Director of National Intelligence has stated. The denial has been followed by claims made to The New York Times
that the NSA and other US intelligence agencies follow a process 'biased toward responsibly disclosing such vulnerabilities.
The same article, however, quotes officials as admitting that while President Barack Obama has instructed the NSA and other agencies to follow responsible disclosure practices when flaws are found, there exists a loophole which allows vulnerabilities to be withheld for future exploitation if there is a 'clear national security or law enforcement need
' - something critics claim could well have applied to knowledge of the Heartbleed vulnerability, given the NSA's corpus of encrypted data.
The Heartbleed vulnerability is still being patched, with sites affected by the flaw having to upgrade to a newer release of OpenSSL and revoke and replace their certificates before users can safely change their passwords and, where available, enable two-factor authentication.