Michael Riley at Bloomberg:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
So, instead of alerting the American people (and Internet users everywhere) of this shockingly-bad bug in OpenSSL, the federal government took advantage of it, possibly using private keys to decrypt data it had gathered via its myriad of tools.
A year ago, I wouldn’t have believed this. When the Heartbleed news broke the other day, I just assumed the government was using the exploit to spy on people. Hell, part of me thinks the NSA was behind it in the first place.
Update: The NSA has released a statement saying it was unaware of the OpenSSL bug until it was publicly disclosed. The language used is pretty clear. Make of that what you will, but the fact that we have to have this discussion is simply terrible.