Updated at the bottom with a response from the National Security Agency.
It's possibly the biggest security vulnerability ever discovered on the Internet. It's known as "Heartbleed," a glitch in the very software used to provide basic encryption at hundreds of thousands of Internet sites allowed hackers to access the data the encryption was supposed to protect. The bug was disclosed earlier this week, and Internet users are encouraged to change all their passwords.
Today, Bloomberg reports that the National Security Agency has known about this glitch for at least two years and used it to gather intelligence, while keeping knowledge of the bug to itself.
What is Heartbleed?
CNet offers a primer and FAQ on what Heartbleed is and how it works, though it can get a little technical. The glitch allows a hacker to use a protocol used to keep communication open between an Internet connection and a server to collect additional data that is supposed to be kept secure through this very encryption process. This means data that users thought was being kept secure, symbolized by the little padlock symbol on their web browsers, was not secure at all.
Probably the best illustration of how the glitch works comes from nerdy online comic xkcd:
Sites have been scrambling to fix the glitch. You can visit a Heartbleed checker here to see if sites you use are still affected. (For those of you registered to comment on Reason, it says we are now safe, but recommends changing your password if you haven't done so recently).
The NSA Knew and Said Nothing?
According to Bloomberg today, the NSA has known about the flaw and said nothing, even though it may have contributed to untold amounts of consumer fraud. And if other nations' intelligence services knew, nations that perhaps want to infiltrate activists and political opponents, there's no telling what they might have gotten:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts. …
"It flies in the face of the agency's comments that defense comes first," said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. "They are going to be completely shredded by the computer security community for this."
Update: The NSA, in a tweet, responded to the Bloomberg story that it was unaware of the Heartbleed flaw until it was made public this week.
Here's a longer response from the Office of the Director of National Intelligence:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
Comments