It's safe to say that the NSA has likely exploited the OpenSSL bug

Apr 10, 2014 22:26 GMT  ·  By

Heartbleed is one of the biggest bugs to ever affect an encryption protocol used by some two thirds of all sites in the world.

The entire bug was basically caused by what’s been dubbed as a rookie mistake for programmers. The worst part, however, is that it has been around for some two years, giving anyone with enough knowledge access to the unencrypted communications passing through any of the sites that used those particular OpenSSL versions.

Yahoo, Google, Facebook are just some of the sites that have been affected by the bug at least to some extent. They’re some of the most visited sites in the world, which means that their reach is extraordinary and billions of people have been exposed to the dangers of this bug.

Of course, you’ll say that there are millions of websites out there that don’t even use encryption and that’s perfectly true. But they also don’t require the use of your personal information, your banking account or other type of data that should be protected in every moment.

In fact, it’s not even advisable to share such data when you see no HTTPS at the start of an URL, especially if you want to protect your bank account, for instance.

Another big issue with this bug is that anyone taking advantage of it would not leave a trace behind. That means that it’s impossible to know whether hackers knew of it or not, if data has been stolen or not.

Chances that the bug hasn’t been discovered in the past two years are, in fact, quite slim, which means that enormous amounts of data have been intercepted and collected.

What are the chances that the NSA has been oblivious of this entire bug? None. The agency’s programs that have been exposed thus far indicate that this is exactly what the NSA is supposed to do – find flaws in encryption standards, exploit them and never tell a soul.

While a normal human being, such as those who discovered the bug and made things public, would immediately inform the rest of the world of the dangers they are in, the NSA would shut up and collect as much information as possible for as long as possible.

Basically, Heartbleed is a dream bug for the NSA since none of the agency’s actions would leave a trace, as a lot of sites were affected and no one knew about it. It means that the NSA barely had to lift a finger to spy on millions of people after they discovered Heartbleed. The only problem they had was to discover what other sites were affected so that they could exploit those as well.

It would be nice if some type of documents regarding this would be uncovered from the Snowden stash, although it may not actually be necessary. At this point, everyone thinks the worst of the NSA and rightfully does so considering all that’s been uncovered.

The good news is that the big sites have remedied the problem, but there are plenty more out there that are still susceptible to attacks, so be careful which ones you visit. It’s also advisable that you change your passwords to make sure that, in case yours has already been collected, you restore some of your privacy.