The US National Security Agency (NSA) has categorically denied allegations that it knew about the existence of the Heartbleed bug for at least two years.
Last week, Bloomberg accused the agency of secretly using the vulnerability in open source OpenSSL protocol to gather intelligence, while leaving millions of ordinary users at risk.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” said a statement from the Office of the Director of National Intelligence (ODNI).
“The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet.”
Heartbleed (official designation CVE-2014-0160), was discovered last week by researchers from Finnish security firm Codenomicon and Neel Mehta from Google Security. It allows the attacker to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services and to impersonate those services at will.
Heartbleed was introduced into OpenSSL code as a programming error with version 1.01, which was released publicly in March 2012. OpenSSL version 1.01g, released on Monday, removes the error.
Besides patching the vulnerability, fixing Heartbleed requires revoking the compromised keys and issuing and redistributing new keys. Users of compromised websites are also advised to change their passwords.
The statement from ODNI claims that the US intelligence agencies do not hide the existence of ‘zero-day’ flaws in commercial and open source software when their disclosure is “in the national interest”.
However, the same statement notes that vulnerabilities would only be disclosed “unless there is a clear national security or law enforcement need” – which essentially means that the NSA can disclose vulnerabilities however and whenever it sees fit.
What do you know about Edward Snowden and the NSA? Take our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…