This video is called What Is the Heartbleed Encryption Bug?
Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?
By Kim Zetter
When ex-government contractor Edward Snowden exposed the NSA’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said last June. “Properly implemented strong crypto systems are one of the few things that you can rely on.”
But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”
This week, that caveat hit home — in a big way — when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to ten, cryptographer Bruce Schneier ranks the flaw an eleven.
Though security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data. “It really is the worst and most widespread vulnerability in SSL that has come out,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania. But the bug is also unusually worrisome because it could possibly be used by hackers to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — and by spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them.
Bloomberg news agency: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said: here.
On Friday, Bloomberg News published a report citing two sources “familiar with the matter” revealing that the National Security Agency (NSA) was aware of the existence of the Heartbleed Internet security bug for two years and routinely exploited the bug to spy on private communications, rather than revealing and patching it: here.
Snowden says NSA spying on civil rights organizations: here.
N.S.A. Breached Chinese Servers Seen as Security Threat: here.
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure: here.
U.S. and Germany Fail to Reach a Deal on Spying: here.