A closer look at the NSA’s denial of knowledge regarding Heartbleed

When I wrote about the Heartbleed bug last week, and how it means that much of the web has been insecure for the last two years, I found myself thinking: "If I was the NSA, or some other intelligence agency, this is exactly how I would go about gathering sensitive data." It's very nearly the perfect hack: Subvert a piece of open source code that almost everyone uses without question, and then use that vulnerability to extract sensitive information until it's publicly discovered – at which point, you create or find another security hole in another open source project, rinse and repeat. Now, according to Bloomberg, citing two people familiar with the matter, it appears the NSA did just that.

According to Bloomberg, the USA's National Security Agency knew about the Heartbleed bug "for at least two years." Robin Seggelmann, who introduced the bug around two years ago, claims he did so unintentionally. It's entirely possible that he's telling the truth – but it's also possible that the NSA paid him to create the bug, or more nefariously, hacked his computer and introduced the bug without his knowledge.

Maybe the NSA wasn't involved with the creation of the bug at all – maybe there's just an NSA analyst who keeps an eye on important open source projects, looking for bugs that can be exploited by the signals intelligence (sigint) teams. (If you want to know more about the Heartbleed bug, and how it came to be, check out our closer look at how Heartbleed actually works).

Either way, if the NSA knew about the Heartbleed bug for two years and didn't responsibly disclose it to the OpenSSL developers, this would be one of the biggest developments in the history of wiretapping ever. Forget about all of the Snowden-related stuff; it's inconsequential small fry compared to Heartbleed. If the NSA has been using Heartbleed for the past two years... well, it isn't good. It's still very hard to accurately define exactly what was exposed by the Heartbleed bug. It could be as simple as lots of usernames and passwords – but given how encryption keys and security certificates were also made available by the bug, it's entirely possible that the NSA had access to the private networks of governments and corporations around the world.

The NSA, for its part, denies knowing about the Heartbleed bug before 2014. Personally I find it a little too convenient, in the wake of the Snowden leaks and the growing distaste for government overreach, that two people "familiar with the matter" come forward to say that the NSA had full knowledge of the most dangerous security vulnerability ever discovered.

Don't get me wrong: I think it's very likely that the NSA keeps an eye on the source code of open source projects, but I really struggle to believe that it wouldn't disclose the bug. We're talking about a bug that could damage the Internet for years to come: If the NSA could've reported the Heartbleed bug two years ago, not doing so would've been criminally irresponsible.

Moving forward, our advice from last week still stands: You should install a password manager like LastPass, and only change your passwords once your web services confirm that they're no longer vulnerable to Heartbleed. Really, the larger risk here is for institutions and corporations that are scrambling to secure their servers which may have been hacked into for the last two years without trace.