The NSA is so concerned for the safety of everyone’s data that it has issued a list of suggestions on how to avoid losing information because of the OpenSSL bug Heartbleed.
Now that we’ve had a laugh at the irony of this entire situation, let’s go through what the intelligence agency is advising people.
First and foremost, the NSA is telling everyone to upgrade the affected TLS/DTLS clients and servers to the latest OpenSSL version (1.0.1g) or to recompile the affected versions of OpenSSL with the option “-DOPENSSL_NO_HEARTBEATS”.
Secondly, since numerous operating systems and client and server software incorporate OpenSSL, it means that you could be in danger of falling prey to Heartbleed. In this case, it’s best if you contact the software vendor to determine whether there’s a risk and seek an update to fix things.
“For any systems that are affected by this vulnerability, use TLS/DTLS, and have exposure to Internet connectivity for potential exploitation of this vulnerability, revoke and reissue certificates and other credentials utilized on those systems after applying the update,” reads NSA’s guide.
The NSA is suspected of having known about Heartbleed for years and, even worse, that it kept it a secret so that it could exploit the vulnerability quietly. After all, if we’ve learned one thing from the media reports of the past few months is that one of the NSA’s main jobs is to find exactly this type of vulnerability and put it to use to collect data.
OpenSSL, being used by so many services out there would automatically make it to the top of the NSA’s list of things to check for bugs.
Mixing this with the reports indicating that the NSA has been actively trying to undermine encryption standards and that it has even built its own backdoors into various services to make it easier to decrypt data, it becomes even more difficult to trust the NSA when it denies knowing about Heartbleed.
The OpenSSL has been around for two years and has gone unnoticed. Although many have suspected foul play, the “author” of the bug says that this was simply a matter of programming error in a really dangerous area.
Sites like Facebook, Google and Yahoo have been affected by Heartbleed, but they quickly patched things up after the bug was revealed. The fact that, in the past two years, an untraceable number of attacks could have taken place is unsettling.